An Oregon Department of Revenue employee has copied the personal data of about 36,000 taxpayers to a personal account. The incident was detected on February 23, two days after the information was uploaded.
Information security staff identified the incident via “routine log reviews”. According to the news release, upon discovery, the employee’s computer was seized and network access and credentials were disabled.
An investigation was launched to determine the severity of the incident. All affected data was removed from the personal account, and there is no evidence to suggest that anyone outside the department saw the information.
After being thoroughly reviewed, the incident was disclosed on March 23, a month after it occurred.
Affected data is said to include names, addresses and Social Security numbers. The department responded very swiftly to the incident and took appropriate action to prevent further misuse. Those impacted are being informed, and, as a precautionary measure, provided with identity theft services.
It is not known why this information was taken, but the volume of data affected suggests that this incident was not an accident.
The investigation is expected to conclude in April.
Educate your staff
Although this is an example of deliberate data misuse rather than human error, it shows the importance of ensuring that staff are aware and understand the consequences of their actions, as well as information security best practices.
Our Information Security Staff Awareness eLearning Course will teach employees how to avoid becoming a security liability, introduce internal policies on incident reporting and responses, and provide basic knowledge of information security best practices to reduce preventable mistakes.