Hackers invaded state Web sites 72 times in five years

February 26, 2005

By Barbara Woller, The Journal News


Raising new concerns about identity theft, a report released this month by a legislative committee found that information on Web sites of state agencies and authorities has been hacked at least 72 times in six years.

The report - "Tip of the Iceberg: New York State Government's Losing Battle Against Hackers" - is from the Assembly's Committee on Oversight, Analysis and Investigations.

It looks at break-ins and Web site defacements that occurred between 1999 to early December 2004 in the computer systems of entities such as the state's Department of Motor Vehicles, the Department of Education, the Department of Correctional Services and the New York Power Authority. Web site defacement occurs when information on a particular site is replaced by a message or image posted by a hacker.

Identify theft can occur when personal information, such as Social Security and credit card numbers are stolen for fraudulent use. The Federal Trade Commission said identify theft has been its top consumer complaint for five years.

"We rely on business and government when we give them personal information ... that they'll keep it safe and secure," said State Sen. Jeff Klein, D-Bronx, who headed the Assembly's oversight committee that wrote the report before he was elected to the State Senate last year. "Unfortunately, the state and private companies are not keeping that information safe, which can lead to ID theft."

For example, the report said that in September a computer virus crippled the internal systems of the state education department and brought its computer network to a halt.

The worst case occurred, Klein said, when the Web site of the State Division of Military and Naval Affairs, which tracks information on where the state's National Guard troops are stationed, was defaced.

But William Pelgrin, director of the state Office of Cyber Security and Critical Infrastructure Coordination, said that no consumer information was compromised in any of the incidents in the Assembly report.

"The report has a lot of information that is misleading and inaccurate," Pelgrin said. "They took some of the data and misinterpreted it."

As for the defacement against the military and naval affairs Web site, Pelgrin said the federal government has jurisdiction over that network and the incident involved other issues, such as outsourcing.

Pelgrin said he does not want to minimize any defacement.

"But just because we're taking them seriously doesn't mean we're not secure," he said, adding that the sites are constantly monitored.

Separately, another security breach was brought to light this month when ChoicePoint announced that as many as 145,000 consumers . including about 9,370 in New York, may have had their personal information stolen when security in its database was breached by a fraud ring. ChoicePoint is based in Alpharetta, Ga., and collects data to verify identification and credentials for business, government and other entities for purposes including employment background checks.

Klein introduced legislation that passed the Assembly last year that would require governmental agencies and businesses to notify consumers when security breaches occur. Currently, California is the only state with such a law.

Assemblyman James Brennan, D-Brooklyn, who succeeded Klein as chairman of the Committee on Oversight, Analysis and Investigations, will re-introduce the bill in the Assembly this year.

The "Tip of the Iceberg" report recommends that

* Klein's bill to require victim notification in the case of a cyber security breach become law.

* A full explanation of the 72 intrusions cited in the report be provided to the Legislature.

* Minimum standards should be set for State Information Security officers.

* The state Division of Military and Naval Affairs reassess its relationship with its Web hosting provider because of the hacking incident.

Klein said state cyber security officials say no information has been taken but it is hard to be sure.

"That's why it's so important we have some type notification in place," he said.

main page ATTRITION feedback