MPR’s Sasha Aslanian reports on how the State has provided names and personal information , including social security numbers, of new state agency employees to Lookout Services of Bellaire Texas to do its E-verify checks. Now the state is informing approximately 500 employees their personal data may have been accessible on the company's web site.
E-verify is a federal program that ensures compliance with immigration requirements.
Awarded:
2010 MNSPJ Page One Award, first place in Radio - Hard News Report category
Transcripts
text | pdf |
SASHA ASLANIAN: For more than three months, state agencies have been using Lookout Services to screen all new hires. For $1.50 a name, the Texas company runs employee data through the Department of Homeland Security's free e-verify program. It confirms that the employee's Social Security number is valid, and that he or she has the legal right to work in the United States.
This week, Minnesota Public Radio was able to access state employee data on Lookout Services website without using a password or encryption software. On the website, you could see the names, birth dates, Social Security numbers, and hire dates for every agency using the service. This covered 500 employees.
Officials at the Minnesota Management and Budget office took precautionary measures yesterday. Spokesman Curt Yoakum says the state was unable to replicate MPR's access. But the agency acted immediately to protect employees' data.
CURT YOAKUM: MMB directed the company yesterday to remove all state of Minnesota data from the Lookout Services database. All agencies were notified on Thursday to stop using the vendor system. And we are in the process of notifying approximately 500 employees, whose data was potentially involved.
SASHA ASLANIAN: But it wasn't just state employees data that was accessible on the Lookout Services site. There was a long list of private companies too. MPR alerted lookout services to the problem. So far, the company has not reacted to the state's decision to suspend use of its service.
In 2008, Governor Pawlenty signed an executive order requiring e-verification for all executive branch employees and large government vendors and contractors. This June, a legislative auditor's report said the administration still wasn't checking its own employees.
One of the [? hang-ups ?] according to the auditor's report was security concerns about employees private data. In July of this year, the state inked a two-year deal with Lookout Services. A representative for Lookout Services says the company works with some 50 to 100 employers across the country. Its website describes, quote, "a seamless fail safe I-9 e-verify process."
However, the company confirmed it experienced a security breach in late October. Curt Yoakum with the Management and Budget office says, the state was aware of the problem. But he says, it apparently did not affect state employees. Lookout Services CEO Elaine Morley declined to go on tape, but said the breach came about because a Lookout Services trainer had used a web address at a webinar that allowed access to actual employee data, not training data.
According to Lookout Services attorney David Pearson, the company plugged the hole, as he calls it. But it did not alert clients, whose employees data had been viewed.
The puzzle for me is that if a data breach was brought to the attention of the company in late October, what happened between late October and my phone call in December?
DAVID PEARSON: As far as I know, it was investigating how they got in.
SASHA ASLANIAN: Lookout Services didn't inform the Department of Homeland Security about the lapse, because it didn't have to.
SPEAKER: Is there a requirement to notify, if there has been a security breach? The answer is no
Bill Wright is with the Department of Immigration and Customs Services the part of Homeland Security that runs e-verify. His agency has an agreement with Lookout Services and more than 13,000 other designated agents to run e-verify checks for employers. Wright says Homeland Security was not aware of any problems with Lookout Services and its software met technical requirements.
Lookout Services did not have to inform Homeland Security. But the affected employees did have a right to know this had happened from their employers under the law. Minnesota is one of 46 states with a notification of security breach law. Employees whose personal identification has been accessed by an unauthorized person must be notified, quote, "in the most expedient way possible."
Gail Hillebrand is a senior attorney with Consumers Union. The national watchdog group urges consumers to ask their HR departments, who has access to their Social Security numbers, and what they're doing with them. Hillebrand says passwords, even complicated, non-intuitive, unguessable passwords are not enough to protect sensitive information.
GAIL HILLEBRAND: Companies should not keep, particularly the Social Security number, any longer than they actually need it. Don't collect it, if you don't need it, if something else will do and remove it after use. That's the best protection against breaching, hacking, et cetera is if it's not there anymore.
The next best thing is to encrypt the data at rest, when it's in storage. Then of course, the backup is, if they don't protect you, at least have to tell you about it.
SASHA ASLANIAN: The state of Minnesota now has hundreds of its own employees it has to tell. One of them is Amy Buckmire who was hired by the state in late October
AMY BUCKMIRE: I worked part time as a cook at the governor's residence.
SASHA ASLANIAN: Buckmire says she was surprised to learn from a reporter's phone call that her personal information was accessible online.
AMY BUCKMIRE: Pretty disconcerting. I've been the victim of identity theft before with my debit card. So I've been through the whole thing. And knowing that information is out there is pretty scary.
SASHA ASLANIAN: E-verify checks for state employees have been suspended until further notice, while the state looks into the matter. Sasha Aslanian, Minnesota Public Radio News.