DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A.G. Schneiderman Announces Settlement After Social Security Numbers Of Over 500 Job Applicants Posted Online

Posted on March 24, 2016 by Dissent

The NYS Attorney General’s has announced a settlement following a data breach I never heard about. And I’m guessing that some people will grumble that the monetary penalty is too light.

NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with Doritex Corp. and its website developer Kallus Opraments, involving the disclosure of over 500 social security numbers on the Internet.  The companies have agreed to pay a total of $95,000 and to shore up their data security practices.

“Far too many companies consistently fail to protect our most personal information,” said Attorney General Schneiderman. “I am committed to protecting the privacy of residents of New York State. No one should be exposed to identity theft or financial fraud from a company’s negligent data security practices.”

The settlement requires Doritex, based on Erie County, New York, to provide prompt notice of confirmed data security breaches to affected New York residents and to the Attorney General and to implement reasonable security policies and procedures designed to protect private information in accordance to New York State General Business laws. It also requires Doritex to pay a $55,000 penalty. Kallus Opraments must also implement additional data security policies and procedures, train its employees with the most up-to-date data security practices and pay a $40,000 penalty.

In late June 2015, the Attorney General received a tip that Doritex’s employment applications could be viewed over the Internet through a simple Google search. These employment applications included personal information of the applicant including name, address, and his or her Social Security number. Google regularly crawls the Internet and temporally copies websites to create an index for its search engine. The Attorney General’s investigation found that Doritex’s website and employment application portal was not secure and did not properly implement encryption technology, security deficiencies that enabled Google web crawlers to cache approximately 518 employment applications on its servers allowing anyone access for over a month.

Doritex was alerted to the breach on June 22, 2015 by a third party complainant, and while it immediately took corrective steps to stop Google crawlers from copying the employment applications, it did not notify the affected individuals or Schneiderman’s office until July 21, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office, “in the most expedient time possible and without unreasonable delay.”

Under the agreement, Doritex has agreed to provide notice of future breaches as soon as possible and to implement reasonable data security policies and procedures when handling employment applications over the Internet. Doritex has also agreed to:

  1. Review, bi-annually, its existing internal policies and procedures regarding the collection and processing of private information;
  2. Designate one or more employees to coordinate and supervise its privacy and security program;
  3. Adopt protective technologies for the storage, access, and transfer of private information, and credentials related to its access, including the adoption of encryption protocols for the transfer of any social security numbers; and
  4. Respond to events involving unauthorized acquisition, access, use, or disclosure of private information including training all staff on data breach notification law.

Website developer Kallus Opraments, owned by Robert Franke, developed Doritex’s website and employment application portal. He has agreed to develop and implement reasonable security policies and procedures when designing or building websites, or other web applications connected to the Internet, that collect private information including the adoption of appropriate encryption for the transfer of any social security numbers. He will also train his employees on current website and database security practices and data security policies. Finally, he will review existing policies and procedures regarding the collection, storage, transfer and transportation of private information for clients and promptly amend such policies and procedures to protect more adequately the privacy and confidentiality of the private information. Kallus Opraments $40,000 penalty was suspended assuming compliance with the agreement due to the company’s financial condition.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Resident Technologist Marc Kowtko. The Bureau of Internet and Technology is led by Bureau Chief Kathleen McGee.

SOURCE: NYS Attorney General Schneiderman

Category: Business SectorExposureSubcontractorU.S.

Post navigation

← Security education outfit EC-Council dishes out ransomware online
JASACare notifies 1,154 patients of breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.