Today in Minnesota a news story broke that hit me to the core. An employee of the State, Department of Natural Resources to be specific, accessed Minnesota Driver’s License Data of approximately 5,000 people. I attached the links to the stories below. I am not going to lay out the details, just the important ones.
As soon as I heard about this story I paid close attention to it. I even caught a radio interview with a spokesperson that gave more details and deliberately avoided answering other questions about this that made me really angry and disgusted. What I am about to lay out is directly from the DNR spokesmen and the news articles, however to the horrific decline in the quality of news reporting you don’t find it in one location.
First thing they don’t have in the news story which is very important is that the 5,000 records were not accessed by this individual in a single session but over the course of YEARS. It wasn’t discovered, according to the DNR, until a un-related HR investigation uncovered it. This tells me the other HR investigation had one guy squeal on this guy and that’s when they paid attention to it.
The State of Minnesota has no regular IT log monitoring, activity monitoring, or security reviews of authorized access against the Department of Public Saftey’s database that contains all the driver’s license data. They cannot claim that they do if this guy accessed these records over the course of years with no one noticing and it was HR that found out not IT Security.
As an Identity and Access Management expert, career IT professional and as a tax payer in the state of Minnesota this is beyond stupid. Waste of money. Your data’s security is not their primary thought. The security as well is not important as it’s apparent that there is no restriction to who can access the data or not. Business need to know is a loose term for ‘authorized’ access.
Now the other side of this story that gets me is the level of protection this employee has by the State Employment and/or Unions. The articles and the radio interview did not address if this guy was fired. All it says is they he is no longer employed in the DNR but they avoided answering if he was fired out of the State’s Employment. When the radio spokesperson replied, he jumped behind the State’s employment data protection laws which says he can’t say what happened… even though 5,000 people now have to worry about credit reports for the next year or so. Their data privacy doesn’t matter. The guy that broke State and Federal law though, he probably moved vertically into a another desk job out of the spotlight for a while.
The government sets the laws, compliance penalties, and takes the fines from the private sector all while their own systems with your life defining data sit 10 years behind the curve.
Do you think your DBA would still have a job if the HR Generalist discovered a 3 year data breach? If you are employed by the government that’s not enough to get kicked to the bricks.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.