Security
According to a recently released Texas state audit report, the personal information of almost two million Americans was exposed and publicly available for nearly three years.
Due to a programming issue at the Texas Department of Insurance (TDI), the details of 1.8 million Texan workers, who filed for compensation with the organisation, were publicly available online from March 2019 to January 2022. In addition to Social Security numbers, addresses, dates of birth, and phone numbers accidentally made public, so was potentially sensitive information about workers’ injuries.
A technical issue with TDI’s web application, which manages workers’ compensation information, meant that a protected part of it was accessible by the public via the Internet. The state agency, which is responsible for overseeing the Texas insurance industry, said in a public notice that it first became aware of the issue in January during a regularly scheduled data management audit, though the loophole was found to exist as far back as March 2019.
After discovering the unauthorised disclosure and reporting it to auditors, TDI immediately took the application offline, fixed it, and returned it online. It also issued letters to the 1.8 million workers, who submitted a new workers’ compensation claim in the affected period, about the leak, as well as giving them 12 months of free credit monitoring and identity protection services as compensation.
TDI partnered with a forensics company to carry out an investigation into how and why the security incident happened. As of May 17, the investigation did not find any evidence that workers’ personal information has been misused by anyone outside of TDI.
Although there is no sign yet that the breached information has been used maliciously, it is still possible that cyber-attackers have accessed the information and may be waiting for the right opportunity to post it on the Dark Web. When or if this breached data gets posted, there is very little doubt that the Personally Identifiable Information (PII) and Protected Health Information (PHI) will be invaluable to cyber-criminals.
A single breached record can be worth approximately US$8 on the Dark Web. That may not seem to be a big loss to a single person, but if this stolen identity falls into the wrong hands, misuse could lead to a damaged credit rating, tax debt, lost time and/or money, psychological impacts, and even a criminal record for the victim.
Take the case of a Dutch citizen whose identity was stolen by someone who went on to commit multiple traffic offences. The outcome was that the victim lost his business and house, his credit rating was ruined, he got divorced, and developed several psychological issues as a result.
Once an identity is misused, it can take years, if not decades, to recover from it. For the man mentioned above, it took 12 years to get all his records fixed.
As for the criminal that stole and used his identity, they were never caught. When you consider these impacts of identity theft, can 12 months of free credit monitoring and identity protection services be considered as adequate compensation?
Beyond the size of the breach and sensitive nature of the data, another unfortunate aspect of this incident was how unintentional it was. The data breach was not due to an attack or malicious activity, but an issue with the code that had simply been overlooked during development.
The incident also acts as a reminder of the special responsibility government agencies have with safeguarding people’s private information against cybersecurity threats. In addition to an effective combination of data, application, and penetration security testing, adequate stress testing needs to be done ahead of any application’s go-live to public end-users.
Many of these systems are left exposed online without proper application usage monitoring, so they often do not know who does what on them. Application monitoring can show if certain paths are bring walked by users that are outside of the intended design, but setting this up requires a significant amount of time and effort, and requires people to actively monitor usage patterns and responded to alerts.
Some have suggested that government agencies such as TDI could use tokenisation or format-preserving encryption for their sensitive data, ensuring it becomes unusable for exploitation if cybercriminals decide to steal it. However, this approach is only useful in test systems, where the risk of using production data is high due to a lack of adequate security controls.
With TDI, the problem existed in the authorisation layer. For a production system, if there is an issue in the authorisation layer to access the data, it would not matter how well encrypted the database or data is, since the application layer will have access to the decrypted data.
With the benefit of hindsight, the issue at TDI could have been discovered through testing with an authorisation matrix, which should have been part of the design. A test automation framework would pick this up when testing for false paths, and so would a pentest with manual effort.
Director - Security Services
We use cookies to optimise our site and deliver the best experience. By continuing to use this site, you agree to our use of cookies. Please read our Cookie Policy for more information or to update your cookie settings.
