January 17, 2013

Cumberland shuts down website after personal data posted

Personal data of about 275 past and present workers is quickly removed after it's found to be public.

By Matt Byrne mbyrne@pressherald.com
Staff Writer

CUMBERLAND — Cumberland officials are trying to determine how 275 names and Social Security numbers of current and former town employees were posted to the town's website.

Town Manager Bill Shane said the breach was discovered Jan. 9 by an employee who Googled a name, found the personal information publicly available, and notified Shane.

The town's website was quickly shut down.

Within 30 hours the data had been scrubbed from the Internet, Shane said.

However, Shane said the list -- originally filed with the state in 2008 for unemployment insurance purposes -- could have been available for as long as four years.

It included information on rank-and-file workers, all the way to town councilors and Shane himself, he said.

"No one really escaped this event, unfortunately," Shane said.

"It's pretty frustrating, to be honest, when you don't know how or why."

Security experts are still trying to determine how the document landed on the website.

The town is employing the company that normally administers the site to do a full security evaluation, he said, a service that is estimated to cost less than $5,000.

After the discovery, Shane sent letters to all 275 employees whose information was released.

He apologized for the breach and said the town would pay for three months of credit checks, and offered to make an attorney available to answer questions about legal ramifications.

Shane said no one has come forward to say their identity has been stolen, and new protocols have been developed so that he and three other administrators have "veto power" over any documents uploaded to the website.

"I think we've done all we can to contain the damage, and hopefully we're on the right track to improving the system security," Shane said.

One town councilor, William Stiles, who received the letter and whose name was on the list, was nonplussed by the revelation that his name and Social Security number were left vulnerable in cyberspace.

He said he received similar notifications in 2008, when 4.2 million credit card numbers were stolen from Hannaford stores, and again in 2012, when TD Bank lost data tapes with sensitive customer information.

"Ho hum," Stiles said, flatly. "Am I concerned? Yes, but I do everything I can to protect (my information). Some things are beyond your control and you have to deal with it."

Staff Writer Matt Byrne can be contacted at 791-6303 or at:

mbyrne@pressherald.com

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors




Further Discussion

Here at KJonline.com we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)