Mopping up after your vendor’s data breach

Get out the mop. Your vendor has been breached and your constituents are at risk.  That’s what ten states are doing right now as they clean up after America’s JobLink Alliance Technical Support informed the states of Kansas, Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Maine, Oklahoma, and Vermont of the loss of personal identifiable information (PII) of their job seekers to an unknown malicious third party.

The good news is, AJLA-TS put their arms around their breach in a business-like manner which we wish others would emulate. Here’s what happened.

AJLA-TS, which is in Topeka, Kan., describes themselves as: “America’s JobLink Alliance–Technical Support (AJLA–TS) serves as the national information systems development and support center for America’s JobLink Alliance (AJLA). AJLA–TS helps state and local workforce agencies meet the needs of today’s customers by providing intuitive, integrated information technology solutions and exceptional technical support.”

AJLA-TS advises in their March 22 press release, that on Feb. 20, 2017 a hacker created a user account and then exploited a “misconfiguration” in the application code. The exploitation of this misconfiguration allowed access to the account information of other account holders, which were job seekers.

Approximately 20 days later, on March 12 the tech support team at AJLA-TS detected unusual error messages. They brought in outside forensic assistance (RSA) and immediately informed law enforcement. They determined someone was exploiting a misconfiguration within their system. AJLA-TS spokesperson, Christine Bohannon, explained how a code misconfiguration was included in their application update released in October 2016. 

On March 14, AJLA-TS confirmed disabling the hacker’s access to their systems and corrected the misconfiguration of their application used in 10 states to assist job seekers.

What was lost in the AJLA-TS data breach?

Those affected lost their user names, date of birth, and Social Security number. Individual job seekers who opened accounts on AJLA-TS prior to March 16 were potentially affected. The total number, according to Bohannon was 6,764,341 individuals affected.

The breakdown by state: 

• AL – 1,540,094
• AZ – 976,612
• AR – 598,693
• DE – 253,896
• ID – 187,636
• IL – 1,380,612
• KS – 579,383
• ME – 284,018
• OK – 731,859
• VT – 231,538     

The affected states are reacting differently. Arkansas issued a three-sentence announcement of the breach. Vermont’s governor railed on the potential damage to his constituents. Arizona announced it was pursuing contractual adjustments so that its “client privacy is not compromised in the future.” 

When reading the various reactions, one is left with the impression that for some states there is a good bit of data breach fatigue in play, while others are tired of data breaches and want their contractors to protect their constituent’s data. They (the states) are the ones which have to face the job seeker, even if they are passing along the instructions and advice provided by AJLA-TS, they will be the ones face-to-face with those affected.

The trusted insider factor

What we do know is that their application was misconfigured. The trusted insider made an error. Whether simple human error or malicious omission is for AJLA-TS to determine. This breach feeds into the narrative of the various annual security reports, on how application configuration and insider misconfigurations are often found to be the culprit when the damage assessment has been concluded.

The 2017 Verizon Data Breach Investigations Report notes how insider misconfiguration is one of the top five paths to data being exploited. The 2015 Verizon Data Breach Investigations Report notes how just under 30 percent of all breach incidents are caused by miscellaneous errors. With only 4.1 percent of breaches being caused by web app attacks.

The 2016 Ponemon report on application security found that more testing of applications is needed across all industries. The report noted that almost half of their respondents say their organization does not test applications for threats and vulnerabilities (25 percent) or testing is not pre-scheduled (23 percent). Only 14 percent of respondents say applications are tested every time the code changes.

The 2016 Ponemon Report on breach resolution notes how 33 percent of those with cyber insurance, are covered by incidents which are caused by human error, mistakes or negligence. 

 AJLA-TS data breach response was exemplary. Rare is the entity which discovers the breach, corrects the error and puts out their announcement and individual user mitigation instructions to those affected in 12 days. Letters to each affected individual were mailed on March 24. This is indicative of having in place a breach response plan. Their personnel are provided an annual security awareness program.

One of the key pieces of PII harvested were individual job seekers Social Security numbers. The federal government requires AJLA-TS ask for the number, but the individual user is not required to provide it.

AJLA-TS assessment of the effect of the breach is boilerplate: “While there is no indication that your information has been misused in any way…” is expected, the reality is they haven’t determined the criminal’s monetization of the data harvested. With name, date of birth and Social Security number, identity theft in the form of income tax fraud is entirely possible. Indeed, coupled with other open source information, financial fraud of many varieties are options to the cyber criminal. The aforementioned research reports consistently note that when PII is stolen, it is more often than not for financial exploitation.

Don’t collect what you can’t protect 

That should be the mantra of every company, and a phrase you will read often within these lines. Every company which collects and/or stores personal identifiable information should have in place a breach response plan. The plan should not just be on paper, it should be in place and tested. A well-oiled machine will run more smoothly when the time comes.

Those with web apps should test and retest those apps. AJLA-TS has, according to Bohannon, implemented, via a third-party, ongoing application scan, penetration test and full code review. And while it may seem a bit like closing the barn door after the cow has fled, the fact of the matter is that the AJLA-TS application provides a valuable service to these 10 states, and a repeat must be avoided.

Penetration testing is not throwing money away. Every reconfiguration should be tested in development prior to deployment. This incident demonstrates human error occurs, as Murphy’s Law of “Whatever can go wrong will” has never been repealed.

While we may not be able to reduce the odds to zero that a breach will occur, one can bring the odds as close to zero as possible. A sound philosophy is to plan for the next event, which hopefully never occurs. 

Leave your comments on our Facebook page.