DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A.G. Schneiderman Announces Settlement After Social Security Numbers Of Over 500 Job Applicants Posted Online

Posted on March 24, 2016 by Dissent

The NYS Attorney General’s has announced a settlement following a data breach I never heard about. And I’m guessing that some people will grumble that the monetary penalty is too light.

NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with Doritex Corp. and its website developer Kallus Opraments, involving the disclosure of over 500 social security numbers on the Internet.  The companies have agreed to pay a total of $95,000 and to shore up their data security practices.

“Far too many companies consistently fail to protect our most personal information,” said Attorney General Schneiderman. “I am committed to protecting the privacy of residents of New York State. No one should be exposed to identity theft or financial fraud from a company’s negligent data security practices.”

The settlement requires Doritex, based on Erie County, New York, to provide prompt notice of confirmed data security breaches to affected New York residents and to the Attorney General and to implement reasonable security policies and procedures designed to protect private information in accordance to New York State General Business laws. It also requires Doritex to pay a $55,000 penalty. Kallus Opraments must also implement additional data security policies and procedures, train its employees with the most up-to-date data security practices and pay a $40,000 penalty.

In late June 2015, the Attorney General received a tip that Doritex’s employment applications could be viewed over the Internet through a simple Google search. These employment applications included personal information of the applicant including name, address, and his or her Social Security number. Google regularly crawls the Internet and temporally copies websites to create an index for its search engine. The Attorney General’s investigation found that Doritex’s website and employment application portal was not secure and did not properly implement encryption technology, security deficiencies that enabled Google web crawlers to cache approximately 518 employment applications on its servers allowing anyone access for over a month.

Doritex was alerted to the breach on June 22, 2015 by a third party complainant, and while it immediately took corrective steps to stop Google crawlers from copying the employment applications, it did not notify the affected individuals or Schneiderman’s office until July 21, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office, “in the most expedient time possible and without unreasonable delay.”

Under the agreement, Doritex has agreed to provide notice of future breaches as soon as possible and to implement reasonable data security policies and procedures when handling employment applications over the Internet. Doritex has also agreed to:

  1. Review, bi-annually, its existing internal policies and procedures regarding the collection and processing of private information;
  2. Designate one or more employees to coordinate and supervise its privacy and security program;
  3. Adopt protective technologies for the storage, access, and transfer of private information, and credentials related to its access, including the adoption of encryption protocols for the transfer of any social security numbers; and
  4. Respond to events involving unauthorized acquisition, access, use, or disclosure of private information including training all staff on data breach notification law.

Website developer Kallus Opraments, owned by Robert Franke, developed Doritex’s website and employment application portal. He has agreed to develop and implement reasonable security policies and procedures when designing or building websites, or other web applications connected to the Internet, that collect private information including the adoption of appropriate encryption for the transfer of any social security numbers. He will also train his employees on current website and database security practices and data security policies. Finally, he will review existing policies and procedures regarding the collection, storage, transfer and transportation of private information for clients and promptly amend such policies and procedures to protect more adequately the privacy and confidentiality of the private information. Kallus Opraments $40,000 penalty was suspended assuming compliance with the agreement due to the company’s financial condition.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Resident Technologist Marc Kowtko. The Bureau of Internet and Technology is led by Bureau Chief Kathleen McGee.

SOURCE: NYS Attorney General Schneiderman

Category: Business SectorExposureSubcontractorU.S.

Post navigation

← Security education outfit EC-Council dishes out ransomware online
JASACare notifies 1,154 patients of breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.