The names, addresses and Social Security numbers of roughly 2,100 Mainers who receive foster care benefits were accidentally posted to a public website in September, the Maine Office of Information Technology said Monday.
The office “has begun notifying approximately 2,100 individuals of a recent incident that may have resulted in a temporary exposure of their personal information,” the agency said in a statement.
The statement said letters notifying those affected by the breach were sent out Thursday, seven weeks after their data was exposed. Spokesman David Heidrich said the Office of Information Technology didn’t send the letters until it had concluded an internal investigation and identified a service provider to assist those affected.
The breach occurred as part of a technology system upgrade on Sept. 21, when a contractor with the Office of Information Technology posted information from a Maine Department of Health and Human Services child welfare services database to “a third-party website outside the State of Maine system,” it said.
Heidrich said the contractor, Knowledge Services, continues to work for the state, but that the Knowledge Services worker who inadvertently made the data public has been terminated. The individual had uploaded a file containing the data to a free file-comparison website without realizing that in doing so the information became publicly accessible, Heidrich said.
“The file consisted of information including the names, addresses and Social Security numbers of persons receiving foster care benefits, as well as the names of children and legal guardians of individuals participating in the program,” the release said. The information was publicly available for about 4½ hours before being taken down, it said.
Heidrich said the leaked data included Social Security numbers of foster parents but not foster children.
After learning that the file had been made publicly available, the office immediately contacted the website to have the information removed, it said. The file in question was removed from the website and any copies of the data in the company’s possession were deleted.
“Upon investigation, (the Office of Information Technology) received assurances from the third-party website that the information was removed from their web server and that no copy of the information remains in their custody,” the office said in a letter to those affected. “However, (the office) has also been informed that the posted information was accessed once during the time it was publicly available.”
Letters were mailed Thursday to those affected, with information on how the exposure occurred, an offer of one year of free credit and identity monitoring and additional information on ways recipients can protect themselves, the office said.
“I’d like to stress that we’ve been informed that this information was accessed just once in the time that it was available, and we have no reason to believe that this access was malicious,” Heidrich said.
Local cybersecurity expert Rob Simopoulos said not all data breaches involve malicious intent.
“Human error can be a major factor in data breaches,” said Simopoulos, co-founder and partner at Launch Security in Portland.
He noted that even the recent, headline-grabbing breach at credit ratings firm Equifax, in which some 150 million Americans’ sensitive data was stolen, ultimately was blamed on a single person within the company who failed to apply a months-old software patch to eliminate a known security flaw.
“There’s still a huge human element to cybersecurity and protecting data appropriately,” Simopoulos said.