DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Improper redaction exposed Virginia employees’ personal info

Posted on January 15, 2016 by Dissent

Earlier this week, Jigsaw Security noted that they had discovered that improper redaction of documents posted on the Virginia Dept of Human Resource Management website was potentially exposing employees’ personal information:

A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.

The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.

Because there were many improperly redacted files putting employees’ SSN, salary, and other details at risk, Jigsaw reached out to DataBreaches.net to help with the notification. On January 12, this site sent a notification to the same DHRM liaison that Jigsaw had attempted to notify, but also contacted DHRM’s media contact to ask for a statement. When there was no response from either party, this site sent a second request to their media contact. That one got their attention, and they asked me for my real name and documentation. I sent them a link to Jigsaw’s post and offered to send them screenshots showing unmasked employee information. I also told them I would delay publication to give them a chance to remove the files from view.

That seemed to produce results. DHRM thanked me for reaching out to them and the next day, they informed this site that DHRM was addressing the security concern by:

  • Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee  privacy and security;
  • Software that has proper redacting capability was being supplied to  users; and
  • Staff training was introduced to ensure that no lapses will occur in the future.

DHRM’s ITECH director and security officer also reached out to Jigsaw Security, who provided DHRM with additional assistance with the issue and also provided them with information about other vulnerabilities the intel firm had spotted. Hopefully, DHRM is addressing those issues, too.

And thus ends another adventure in trying to notify entities of security problems. But it shouldn’t be difficult to notify state agencies of security problems. Hopefully, DHRM is addressing that, too, so the next time a white hat tries to alert them to a problem, they get the notification.

 

Category: ExposureGovernment SectorU.S.

Post navigation

← Disciplinary action withdrawn against two dozen nurses accused in privacy breach
AU: Canberra psychology clinic accidentally reveals clients’ personal details in email →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Investigation of 2024 Helsinki data breach – Report
  • Major trial underway for data leak that left 72,000 victims in France
  • Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
  • HealthEC Agrees to $5.48 Million Settlement to End Data Breach Lawsuit
  • US offering $10 million for info on Iranian hackers behind IOControl malware
  • Sompo Japan Insurance submits improvement plan after info leakage
  • Moreno Valley, Calif., Schools Report Data Breach
  • The Growing Cyber Risks from AI — and How Organizations Can Fight Back
  • Credit Control Corporation data allegedly from 9.1 million consumers listed for sale on forum
  • Copilot AI Bug Could Leak Sensitive Data via Email Prompts

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Your household smart products must respect your privacy – including your air fryer
  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
  • Anne Wojcicki Wins Bidding for 23andMe
  • Would you — or wouldn’t you?
  • New York passes a bill to prevent AI-fueled disasters
  • Synthetic Data and the Illusion of Privacy: Legal Risks of Using De-Identified AI Training Sets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.