Thanks to Joe Howie of BeyondRecognition.net for alerting me to what appears to be a very long-running, inadequately remedied breach that has exposed – and may be continuing to expose – the Social Security numbers and other personal information of thousands of people. I am posting this with some hesitation, as the data may still be live. But after days of getting no response from Amazon Web Services who were informed of this problem last week, I think it’s time to call attention to the failure of all involved parties to respond promptly. John Martin of BeyondRecognition.net explains:
The Electronic Discovery Reference Model (“EDRM”) is an e-discovery industry standards setting group, and the EDRM Enron Email Data Set v2 (“EDRM Data”) is a collection of documents originally gathered by the Federal Energy Regulatory Commission (“FERC”) as part of its investigation of Enron’s energy trading practices and then made public by it. EDRM Data is a reworked version of the original documents, with a label added to each email that reads,
“EDRM Enron Email Data Set has been produced in EML, PST and NSF format by ZL Technologies, Inc. This Data Set is licensed under a Creative Commons Attribution 3.0 United States License <http://creativecommons.org/licenses/by/3.0/us/>. To provide attribution, please cite to ZL Technologies, Inc. (http://www.zlti.com/).”
EDRM served as a direct download point for the EDRM Data for a period of time and later moved it to Amazon Web Services for downloading.
Breach Discovery. While working with the EDRM Data that we downloaded from the EDRM website, BeyondRecognition discovered that there were over 7,500 instances of unredacted social security numbers, credit card numbers, dates of birth, home addresses and phone numbers – a startling breach of privacy. Most of the data breach victims were Enron employees, but the victims also included spouses or children of the employees as well as third party contractors.
Read more on BeyondRecognition.net.
According to Joe Howie, the data set was still live and available as of two days ago, the last time he checked. As of today, EDMR still links to the data set on AWS. Howie informs DataBreaches.net that this breach was reported last week to various agencies and entities. A post-script on the blog entry says:
BeyondRecognition has reported the data privacy issues in the EDRM Data to EDRM, FERC, Amazon Web Services who currently distributes the data set, the FTC (Reference Number 45277727), and the Texas Attorney General. We have offered lists of those social security numbers to the latter two agencies to aid in notifying the data breach victims and monitoring their SSAN accounts. As of April 30, 2013, that data set was still available for download from Amazon web services via a link from EDRM.net.
After years of being notified of problems, as described elsewhere in their blog entry, and after problems supposedly being fixed, the problems with unredacted PII remained, it seems. And by now, it’s unclear how many different individuals have downloaded the data set with so much PII in the clear.
As of yesterday, the Texas Attorney General’s Office had indicated to Howie that they would be attempting to download the data set as part of verifying the problem and determining its scope. I hope their investigation gets results. Thankfully, they have been more responsive than Amazon Web Services (AWS). DataBreaches.net called Amazon Web Services media communications two days ago to inquire why the data were still live after they had been notified of this breach last week, but did not get to speak to an actual person and they did not return my phone call as of the time of this posting. A tweet to AWS two days ago asking for a phone number to report a breach was answered 24 hours later with a link to their abuse reporting form instead of the requested phone number. They did not respond to a follow-up breach reiterating the request for a phone number that would get results.
I realize that there’s a lot of responsibility/blame to be spread around on this breach, and that EDRM may be more responsible than AWS when it comes time to assign blame, but the fact that AWS did not (has not?) removed the data set is concerning and suggests to me that their breach notification system is sorely inadequate and in need of immediate improvement.
If you know anyone who was employed by Enron or was a spouse or dependent of an Enron employee, you might want to give them the heads up that their Social Security number may be in the hands of numerous people, including those with not-so-honorable intentions.
Update: After posting this, I learned that the Fifth Circuit may have permitted the release of this information. From the available documentation, it appears that the court agreed that sensitive personal information (such as SSN) would be grounds for removing documents from public view. It appears, however, that not all documents containing personnel’s SSN were identified and flagged for removal request. As such, individual employees of Enron and/or their dependents may have never been aware that their information was released and/or has been re-released. In any event, decisions made in 2003 by others – including a court – should not put individuals at risk of ID theft in 2013, when we’ve learned so much more about how easy it is to find – and misuse – SSN via searches.
Update 2: I subsequently received both an email and then a phone call from AWS telling me that they were investigating. I took the opportunity to encourage them to create a link on their home page with a dedicated email address/phone number for people to use to report data leaks so that they get prompt attention. I hope that they do that in the future and look forward to the results of their investigation. See an update post here.