Last year, a data breach of 1.6 million unemployment records from the state Auditor’s office during an audit of the Employment Security Department (ESD), caused concern that the stolen data would be used by hackers to steal Washington residents’ identities. So far, according to the auditor’s office, that appears not to have happened.
However, in an ironic twist, the audit of ESD, triggered by the Nigerian fraud scam that stole $650 million, was sourced from a data breach that had occurred several years earlier.
As is often the case with data breaches, data from different breeches are combined to create a larger dataset that a criminal element can use more effectively. For the Auditor’s office to assume that because the data doesn’t appear to be compromised that the victims of the breech are safer, is a false assumption. Data that has been compromised can take years to resurface as the Nigerian fraud scam illustrated.
The reduce the risk of sensitive data being exposed, government agencies should follow industry guidelines for handling sensitive data. This includes requiring the vendors and partners they do business with to follow the same guidelines. Additionally, agencies should only collect the information that is needed to provide the service they are providing and delete the data when it is no longer required.
House Bill 1455, was introduced to specifically address the most recent breech. It applies the idea that social security numbers (SSN) should not be shared between agencies or third parties, but the problem is deeper than just not sharing SSN data. Sensitive data should not be collected in the first place unless it’s absolutely necessary. Substituting SSN numbers with another form of unique identifier won’t necessarily fix the underlying issue, though it will help. Agencies shouldn’t be storing and sharing this type of information unless they need too.
Lawmakers should consider requiring all state agencies to adopt recognized industry standards, such as NIST 800 or ISO 27001 which deal with the handling of sensitive data.