DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Improper redaction exposed Virginia employees’ personal info

Posted on January 15, 2016 by Dissent

Earlier this week, Jigsaw Security noted that they had discovered that improper redaction of documents posted on the Virginia Dept of Human Resource Management website was potentially exposing employees’ personal information:

A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.

The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.

Because there were many improperly redacted files putting employees’ SSN, salary, and other details at risk, Jigsaw reached out to DataBreaches.net to help with the notification. On January 12, this site sent a notification to the same DHRM liaison that Jigsaw had attempted to notify, but also contacted DHRM’s media contact to ask for a statement. When there was no response from either party, this site sent a second request to their media contact. That one got their attention, and they asked me for my real name and documentation. I sent them a link to Jigsaw’s post and offered to send them screenshots showing unmasked employee information. I also told them I would delay publication to give them a chance to remove the files from view.

That seemed to produce results. DHRM thanked me for reaching out to them and the next day, they informed this site that DHRM was addressing the security concern by:

  • Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee  privacy and security;
  • Software that has proper redacting capability was being supplied to  users; and
  • Staff training was introduced to ensure that no lapses will occur in the future.

DHRM’s ITECH director and security officer also reached out to Jigsaw Security, who provided DHRM with additional assistance with the issue and also provided them with information about other vulnerabilities the intel firm had spotted. Hopefully, DHRM is addressing those issues, too.

And thus ends another adventure in trying to notify entities of security problems. But it shouldn’t be difficult to notify state agencies of security problems. Hopefully, DHRM is addressing that, too, so the next time a white hat tries to alert them to a problem, they get the notification.

 

No related posts.

Category: ExposureGovernment SectorU.S.

Post navigation

← Disciplinary action withdrawn against two dozen nurses accused in privacy breach
AU: Canberra psychology clinic accidentally reveals clients’ personal details in email →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.