In July, Yellowstone County, Montana announced a hack of their web site, which they later said may have exposed personal information. Now Clair Johnson reports:
An investigation of intrusions into Yellowstone County’s computer servers showed numerous hacking attempts but no theft of personal information in the two attacks that were analyzed.
A preliminary report by AtaData, a Butte computer company the county hired in July to conduct a forensic analysis, said there was evidence of numerous hacking attempts during the previous 18 months.
Because of the volume of information and time-sensitive nature of the case, AtaData limited its analysis to two intrusions, one on July 12 and another on July 13, said James Holmes, an AtaData investigator, in a preliminary report to the county earlier this month.
“It was determined that no personal information was gathered by the hackers responsible for these two attacks; however, critical personal information stored on this server was vulnerable,” Holmes said.
Read more on The Billings Gazette.
So they know there were multiple attempts but they actually fully investigate only two of them? Consider this statement:
While it was “highly probable” that large amounts of information from various databases were transferred during some of the attacks, it was “less probable” that the information collected by hackers came from the database that contained the private information, the report said.
“However, it is not impossible, and therefore, any necessary precautions to secure these accounts should be taken,” the report said.
Under what conditions is it acceptable for an entity to basically say that they know they had multiple intrusions but aren’t fully investigating to determine if those intrusions resulted in the transfer of personal information?