North Carolina “Leaves the Back Door Open”
A statewide breach was recently discovered in North Carolina. Until my notification on March 18th, a file repository through a well known cloud storage provider was completely exposed to the public internet.
Upon further research we found a trove of data from a range of North Carolina government offices, including Dept of Administration, Dept of Health and Human Services, Division of Medical Assistance, Dept of Cultural Resources, Dept of Public Safety, Office of State Controller, Office of State Budget and Management, NC IT Department.
Within the cloud repository exists a vast array of sensitive as well as non-sensitive data, including “For Official Use Only” Department of Homeland Security documentation. The irony of the situation is also worth noting, as some of the exposed documents discuss a current North Carolina initiative to move government files out of insecure cloud situations.
Im glad to see any government agency make an attempt at minimizing the casual use of less-secure cloud applications, but theres something to be said for leading the charge and setting an example. Having a careless data breach within your own IT department is devastating to morale. The damage is not worth cutting corners.
Some of you are probably wondering why I would even write this post. It will only cause further problems for North Carolina, right? Well, I struggled with that question in my head for a little while, and I might have decided to let this one slide without a drawn-out blog post. The deciding factor for me came down to incident response, or a lack thereof.
While North Carolinas IT department fixed the issue overnight on the 18th by disabling access to the repository, following my notification, but they have not at any point attempted to contact me. A well-thought-out incident response plan should include contacting the breach discoverer.
For example, I may have been able to suggest that they contact Google and have certain cached documents taken down from the search engines results. They could have enquired as to how I found the open repository, or what I downloaded, or even if I still have any of the data. Those are all very important questions that should be covered by any data breach response team.
You cant let embarrassment stop you from doing a proper breach investigation. You must own up to your mistakes, fix the problem, and be honest with yourself, your staff, and the public.
All those repositories were discovered as a result of a simple Google search and are still cached/available. In order to avoid that a webmaster should have created a robots.txt in root directory.
Ill leave you with the North Carolina “Cyber Security Pledge” (it was found within the breach documents).
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org
Nearly every state in the US has some type of data breach notification law on the books. North Carolina is just one of the forty-seven states, including the District of Columbia, Guam, Puerto Rico and the Virgin Islands that require private or government entities to notify individuals of a security breach or data leak. Kromtech Security Researchers discovered what appears to be a statewide breach that possibility included sensitive data from nearly every major branch of North Carolinas State Government.
According to the State Attorney Generals Office a “security breach” is defined as “the unauthorized release of unencrypted or unredacted records or data containing personal information with corresponding names, such as a persons first initial and last name”. There are also strict requirements on notifying citizens or individuals who were affected by the breach. Based on the initial assessments of how many agencies were listed in the discovery it could have potentially included a vast majority of North Carolinas citizens.
This is not the first cyber security wakeup call for the state in the last several months. In July 2016 North Carolina State University officials announced that an email account containing personal information of about 38,000 people was illegally accessed and it occurred "through a sophisticated phishing scam." Unlike the North Carolina State University incident this discovery was not password protected and serves as a another warning for states, colleges, and companies to audit and test their security practices regularly.
Information for editors:
The Kromtech Security Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks and following responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the Kromtech Security Center a reputation as one of the fastest growing cyber data security departments.