Earlier this week, Jigsaw Security noted that they had discovered that improper redaction of documents posted on the Virginia Dept of Human Resource Management website was potentially exposing employees’ personal information:
A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.
The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.
Because there were many improperly redacted files putting employees’ SSN, salary, and other details at risk, Jigsaw reached out to DataBreaches.net to help with the notification. On January 12, this site sent a notification to the same DHRM liaison that Jigsaw had attempted to notify, but also contacted DHRM’s media contact to ask for a statement. When there was no response from either party, this site sent a second request to their media contact. That one got their attention, and they asked me for my real name and documentation. I sent them a link to Jigsaw’s post and offered to send them screenshots showing unmasked employee information. I also told them I would delay publication to give them a chance to remove the files from view.
That seemed to produce results. DHRM thanked me for reaching out to them and the next day, they informed this site that DHRM was addressing the security concern by:
- Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
- Software that has proper redacting capability was being supplied to users; and
- Staff training was introduced to ensure that no lapses will occur in the future.
DHRM’s ITECH director and security officer also reached out to Jigsaw Security, who provided DHRM with additional assistance with the issue and also provided them with information about other vulnerabilities the intel firm had spotted. Hopefully, DHRM is addressing those issues, too.
And thus ends another adventure in trying to notify entities of security problems. But it shouldn’t be difficult to notify state agencies of security problems. Hopefully, DHRM is addressing that, too, so the next time a white hat tries to alert them to a problem, they get the notification.