Archive for June, 2007

Potential Arkansas.gov Data Breach

I recently stumbled across a cached Google version of a Microsoft Excel which contained a list of roughly 284 individuals who appear to be Psychologists licensed in the state of Arkansas. Arkansas.gov had posted some very sensitive information about these individuals.

The Google cache of the excel document listed following information for each of the roughly 284 individuals.

  • License Type
  • License Number
  • License Status
  • SSN
  • Title
  • First Name
  • Middle Name
  • Last Name
  • Address
  • Address 2
  • City
  • State
  • Zip
  • Work Phone
  • EMail
  • License Began
  • License Expires
  • High Degree
  • DOB
  • SuperviseDate
  • Spoken Languages
  • Sign Languages

As of June 10, 2007, the file was still available through the Arkansas Psychology Board website site map, with two notable exceptions. The June 10th version did NOT contain the columns named “SSN” or “DOB.” I don’t know when the previous version (picked up by search engine caches) was posted online, but the server reported that it was “last modified” on May 31, 2007 at 12:17:


Name Last modified Size Description
-------------------------------------------------
Parent Directory 06-Jun-2007 15:02 -
[Redacted].xls 31-May-2007 12:17 134k

I was able to alert almost 250 of them of the existence of the file in an e-mail:

My name is Aaron Titus. I am a private citizen, and privacy advocate. I am sending this e-mail to warn that you may be at extreme risk of identity theft….

The existence of this information may or may not come as a surprise to you, but should be of concern. This file (or some previous version of this file) probably contains sufficient information for someone to commit identity theft in your name. In addition, this file (or some previous version of the file) may be stored permanently in search engine caches or web archives. I strongly suggest that you check your credit report as soon as possible. The FTC has posted information on how you can access your credit report, at http://www.ftc.gov/bcp/conline/pubs/credit/freereports.shtm.

You are free to call me directly if you have any questions, but I have no additional information than what I have given you. I have not attempted to contact the Arkansas State government, nor the Arkansas Psychology Board. I am sending this message as a concerned individual, and not in behalf of, or in association with any organization or company….

I quickly received several thank-you letters and phone calls in return, some reporting past identity theft attempts.

Arkansas.gov Privacy Policy

Just for fun, I took a look at Arkansas.gov’s Privacy Policy. As usual, it does not come close to dealing with a situation like this. The closest I could find to a statement on-point was in the section under the Arkansas Freedom of Information Act:

The Arkansas government has information about individuals… contained in the public records of the Arkansas state and local government. … See Ark. Code Ann. 25-19-105. Information generally available under the Arkansas Freedom of Information Act and not made confidential elsewhere in the Arkansas Code or by federal law may be posted for electronic access through the Information Network of Arkansas.

The Arkansas Freedom of Information Act recognizes many concerns people have with regard to public records that include information about them, including the right to correct inaccurate information. Consequently, persons concerned with regard to information about them should contact the custodian of the record, which typically is the state agency or other governmental entity that collects and maintains the information.

Translation: “If we decide that your SSN is in the public record, we can publish it with impunity, but don’t worry- we’ll fix it if it’s wrong.” I’m sure that policy will be very comforting to the psychologists whose information the Arkansas government threw to the wind.

2 Comments