Skip to main content
 
us

  • Increase Speed to Market
    Deliver quality quicker by optimising your delivery pipeline, removing bottlenecks, getting faster feedback from customers and iterating quickly.

  • Enhance Customer Experience
    Delight your customers in every digital interaction by optimising system quality and performance to provide a smooth, speedy and seamless user experience.

  • Maximise Your Investment
    Realise a positive ROI sooner and maximise your investment by focusing your energy on high-value features, reducing waste, and finding and fixing defects early.
  • The Wellington City Council (WCC) wanted to deliver quality outcomes without breaking the bank. Find out how Planit’s fast and flexible resources helped WCC achieve this goal.

this is a test Who We Are Landing Page

INSIGHTS / Articles

How A Breach Exposed Personal Data of 1.8 Million People
 25 May 2022 
How A Breach Exposed Personal Data of 1.8 Million People How A Breach Exposed Personal Data of 1.8 Million People
How A Breach Exposed Personal Data of 1.8 Million People
INSIGHTS / Articles

How A Breach Exposed Personal Data of 1.8 Million People
 25 May 2022 

According to a recently released Texas state audit report, the personal information of almost two million Americans was exposed and publicly available for nearly three years.

Due to a programming issue at the Texas Department of Insurance (TDI), the details of 1.8 million Texan workers, who filed for compensation with the organisation, were publicly available online from March 2019 to January 2022. In addition to Social Security numbers, addresses, dates of birth, and phone numbers accidentally made public, so was potentially sensitive information about workers’ injuries.

A technical issue with TDI’s web application, which manages workers’ compensation information, meant that a protected part of it was accessible by the public via the Internet. The state agency, which is responsible for overseeing the Texas insurance industry, said in a public notice that it first became aware of the issue in January during a regularly scheduled data management audit, though the loophole was found to exist as far back as March 2019.

Crisis averted?

After discovering the unauthorised disclosure and reporting it to auditors, TDI immediately took the application offline, fixed it, and returned it online. It also issued letters to the 1.8 million workers, who submitted a new workers’ compensation claim in the affected period, about the leak, as well as giving them 12 months of free credit monitoring and identity protection services as compensation.

TDI partnered with a forensics company to carry out an investigation into how and why the security incident happened. As of May 17, the investigation did not find any evidence that workers’ personal information has been misused by anyone outside of TDI.

Although there is no sign yet that the breached information has been used maliciously, it is still possible that cyber-attackers have accessed the information and may be waiting for the right opportunity to post it on the Dark Web. When or if this breached data gets posted, there is very little doubt that the Personally Identifiable Information (PII) and Protected Health Information (PHI) will be invaluable to cyber-criminals.

A single breached record can be worth approximately US$8 on the Dark Web. That may not seem to be a big loss to a single person, but if this stolen identity falls into the wrong hands, misuse could lead to a damaged credit rating, tax debt, lost time and/or money, psychological impacts, and even a criminal record for the victim.

Take the case of a Dutch citizen whose identity was stolen by someone who went on to commit multiple traffic offences. The outcome was that the victim lost his business and house, his credit rating was ruined, he got divorced, and developed several psychological issues as a result.

Once an identity is misused, it can take years, if not decades, to recover from it. For the man mentioned above, it took 12 years to get all his records fixed.

As for the criminal that stole and used his identity, they were never caught. When you consider these impacts of identity theft, can 12 months of free credit monitoring and identity protection services be considered as adequate compensation?

Protect your users

Beyond the size of the breach and sensitive nature of the data, another unfortunate aspect of this incident was how unintentional it was. The data breach was not due to an attack or malicious activity, but an issue with the code that had simply been overlooked during development.

The incident also acts as a reminder of the special responsibility government agencies have with safeguarding people’s private information against cybersecurity threats. In addition to an effective combination of data, application, and penetration security testing, adequate stress testing needs to be done ahead of any application's go-live to public end-users.

Many of these systems are left exposed online without proper application usage monitoring, so they often do not know who does what on them. Application monitoring can show if certain paths are bring walked by users that are outside of the intended design, but setting this up requires a significant amount of time and effort, and requires people to actively monitor usage patterns and responded to alerts.

Some have suggested that government agencies such as TDI could use tokenisation or format-preserving encryption for their sensitive data, ensuring it becomes unusable for exploitation if cybercriminals decide to steal it. However, this approach is only useful in test systems, where the risk of using production data is high due to a lack of adequate security controls.

With TDI, the problem existed in the authorisation layer. For a production system, if there is an issue in the authorisation layer to access the data, it would not matter how well encrypted the database or data is, since the application layer will have access to the decrypted data.

With the benefit of hindsight, the issue at TDI could have been discovered through testing with an authorisation matrix, which should have been part of the design. A test automation framework would pick this up when testing for false paths, and so would a pentest with manual effort.

Ferdinand Hagethorn

Director - Security Services

Security as a Service

Planit Strike is a low-cost Static and Dynamic Application Security Testing (SAST and DAST) solution that scans your code and applications as they are being built to find vulnerabilities before they can be introduced. It's available on-demand or can be integrated into your CI/CD pipeline, helping you to shift left and increase velocity upstream.
 
Find out how Planit Strike can improve your security risk posture and keep your code clean.

 

Find out more

Get updates

Get the latest articles, reports, and job alerts.