If you say you always do right, then you should do right, right?
Ouch. Over on infosec.exchange, @Jayeltee recently wrote:
Professional Probation Services ( www.ppsfamily.com ) exposes almost 500,000 US probationers private data publicly, SSNs included, and when I ask them for their intentions regarding disclosure, they go into hiding mode, removing their management and Our companies contact page.
Read more about the exposed data from the company who, according to them, has “A corporate culture of knowing right from wrong, and doing right- every time.”
So DataBreaches did read more on JayeLTee’s substack.
One of the exposed databases, called “Probationers,” contained 467,383 entries with the following fields:
ProbID, CourtID, OfficeID, SentenceDate, ProbationDate, ProbationExpires, TermMonths, ProbationTypeID, JudgeID, PO, ProbFeePerMonth, VCFFeePerMonth, StatusCurrent, FName, MName, LName, Suffix, Sex, Hair, Eyes, Height, Weight, DOB, Race, SSN, PhoneCell, PhoneHome, EMail, EnteredBy, EnterDate, PhyStreet, PhyStreet2, PhyCity, PhyState, PhyZip, MailStreet, MailStreet2, MailCity, MailState, MailZip, Employer, EmployerLocation, EmployerPhone, ReportType, DL, DLState, CLP_ProbID, EarlyTerm, ModifyBy, ModifyDate, GPMID, FirstOffender, ConditionalDischarge, DrugCourt, DUICourt, ConvDocket, PrimaryCase, HoldAndClear, FinancialNote, TollDaysRemaining, TolledWarrantOrigExpireDate, PleaInAbeyance, PostIT, DoNotText, MinMonthlyPmt, PayByDate, RandomDrugTests, RandomDrugInterval, RandomDrugTexting, DoNotClose, OfficeSatelliteID, CareCourt, VetCourt, NeedsProbUpdate, MaritalStatus, Children, NumChildren, ChildrenLiveWith, Income, EducationLevel, Language, PrevArrestNumber, PBC_Division, DrugScreenLabLocation, DrugScreenType, SPOS, InvoicesZeroed, DPA, VerifiedMeds, LSRisk, PTR_Recommended, PTR_DeniedByJudge, PTR_CourtAppearanceDate, PTR_FTADate, PTR_WarrantIssued, PTR_NewArrest, PTR_TechViol, PTR_IndigentPDAppointed, Felony, FPSKey, DaysCredit, SAP, JailHold, PaymentPlan, CBMoneyDue, ORCADocket, XKey, NonCompliant, GUID
The table contained 388,685 Social Security numbers in entries, of which 330,988 were unique. It also contained 222,998 email addresses, of which 195,936 were unique.
The biggest table was “Notes.” It reportedly contained almost 20 million entries. JayeLTee provided an example after stripping it of some identifiable information:
Good afternoon.. You arrested my 5 month high risk pregnant daughter for not being able to come an hour and half away to take a drug screen 2 days after she told you in person that she has no license or car to come the 60 mile drive from loganville to your office.. She has asked you more than once to transfer it to one of the 7 offices less than 10 minutes from her house and you won’t ..’,’2023-03-07 14:43:12′,
JayeLTee presents a lot more data in his article, but let’s leap ahead to his notification to Professional Probation Services.
His email may strike some as insulting in tone, but it contained all the important details such as where to find the exposed data and what he observed in terms of the scope of the exposure. A copy of it is included in his full article.
“A corporate culture of knowing right from wrong, and doing right- every time.”
Within hours after notifying them, JayeLTee noticed that the data was no longer exposed, which is to PPS’s credit.
But PPS never responded to his notification. No “Thank you” or any acknowledgment at all. So days later, JayeLTee emailed them again to ask if they planned to disclose this leak and if so, when, so he would delay publication to give them a chance to disclose first.
They did not reply to his second email, but they did respond somewhat — they removed the webpage on their site that named their management team.
It is now more than a week since JayeLTee first reached out to PPS but received no replies.
Unanswered Questions
DataBreaches emailed PPS on November 4 to ask:
- When was the data first unintentionally exposed?
- Do they have logs that show how many unauthorized IP addresses accessed the exposed data between then and when they secured the data?
- Are they notifying any federal or state regulators about this incident? If so, which one(s)?
- Will they be notifying any of the people who had their personally identifiable information exposed?
- Will they be offering people complimentary mitigation services if their SSN was exposed?
- Can they explain why they never responded to JayeLTee’s emails and why they removed their management page from their site?
There has been no reply as of publication. DataBreaches will update this post if a reply is received or more information becomes available.