Another day, another leak involving sensitive information. From the UpGuard team:
The UpGuard Cyber Risk Team can now disclose that sensitive data from the Los Angeles County 211 service, a nonprofit assistance organization described on their website as “the central source for providing information and referrals for all health and human services in LA County,” was publicly exposed online.
The contents of the downloadable files include access credentials for those operating the 211 system, email addresses for contacts and registered resources of LA County 211, and most troubling, detailed call notes. These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers. Included in the more than 3 million rows of call logs are 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data.
Read more on UpGuard.
UpGuard’s spokesperson confirmed to me that UpGuard first attempted to reach out to LA County 211 on within hours of discovering the exposure on March 14. Why, then did it take more than a month – until April 24 – for the county to get notified and do something??? I have reached back out to UpGuard to try to get more details as to why notification was not accomplished more quickly. Note that I am NOT criticizing UpGuard at all. I want to know where the county’s notification system may have broken down if it was not possible for UpGuard to quickly and effectively notify them on March 14.
Update: So Chris Vickery filled me in more on what happened with the attempt to notify. According to Chris, the county was called in 1 hours and 15 minutes after discovery.
“Couldn’t get a real person,” Chris told me, “so 15 minutes later I called 211 itself (the public line) and spoke to an operator. The operator took me seriously and said she would send my contact details to the proper IT contacts and also gave me an admin support email to send a message to. The support email address must be an “internal only” email address because it bounced when I sent a notification message to it. I don’t know what happened to the operators email to the supposed IT staffer. I never heard from them.”
Ugh. A colleague of Chris’s followed up eventually as the others were busy dealing with the AggregateIQ/Cambridge Analytica situation. When the colleague got a direct number for someone in IT, they were finally able to make notification to the IT people.