Wednesday, January 13, 2016

State of Virginia DHRM fails to respond to notification

On 1-7-2016 a researcher that assist Jigsaw Security noted some issues with documents posted on the DHRM website. A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.

The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.

As of the posting of this article the document remains on the website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.

We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue. 

We we notified them and followed up but no response. 

So basically they tried to do the right thing by blocking out personally identifiable information in these documents but the method used was inadequate. 

It is unknown of the individuals affected by this issue are still employed by the State of Virginia as we have not received any response to our inquiry. 

Hopefully bringing this information to light will prevent this type of information disclosure in the future but the lack of response is troubling. 

As of 14 January, 2016 a response was received indicating that the issue is being corrected.

"DHRM takes any possible data breach very seriously, and we wanted to notify you that measures are being taken to address the issue:

·         Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
·         Software that has proper redacting capability supplied to users;
·         Staff training introduced to ensure that no lapses will occur in the future.

Thank you for bringing this matter to our attention."

No comments:

Post a Comment