SHA Personal Information Exposed Accidentally

David Collins Reports

April 25, 2008

BALTIMORE -- Sensitive personal information concerning 1,800 State Highway Administration employees, including names and Social Security numbers, was compromised last week, officials said.

"We had an incident where an employee transferred personnel transaction data from a secure drive to a SHA shared drive," said SHA Deputy Administrator of Finance and I.T. Normetha Goodrum.

An internal investigation found that the breach was done inadvertently and not with criminal intent.

SHA said it is currently redacting Social Security numbers and will no longer keep them in personnel files. They said that personnel information will be password protected.

Officials said they're still checking to see if the information has gone beyond the agency, but said they don't believe so. They sent letters and e-mails to those potentially impacted, including SHA field workers and former employees.

Computer security expert Avi Rubin of Johns Hopkins University said he considers the internal data compromise serious and preventable.

"I think it is even more important for organizations to look into encryption solutions so that when these things occur, somebody can only find encrypted data and it won't do them any good," he said.

Security breaches of computer data have become a growing problem. State law mandates that businesses keep consumer data and report when it's lost or stolen. The state attorney general.s office keeps track of them.

So far this year, 64 companies have reported security breaches, officials said. They said that hackers sometimes get it, and in some cases, it's stolen out of employees. homes, cars or lockers.

"They can open bank accounts, take out a mortgages, establish a line of credit all in your name, then skip town," Rubin said.

"We are taking it seriously, and we want to take every measure possible so that it does not happen again," Goodrum said.

Computer experts said they are amazed that companies rarely do security sweeps or preventive maintenance. Rubin said that most react only after their information is compromised or breached.

main page ATTRITION feedback