Thousands of California state workers’ sensitive data exposed by former employee

Thousands of California state workers had their sensitive personal data exposed by a former employee. Individuals who worked at the California Department of Fish and Wildlife (CDFW) and California’s Wildlife Conservation Board in 2007, and vendors who worked with the board between 2007 and 2010, were victims of the breach.

The Sacramento Bee first reported on the data breach on Friday, February 16. The former employee downloaded Social Security numbers and, in some cases, home addresses of CDFW and California Wildlife Conservation Board employees and contractors to an unsecured device or network.

Almost a month passed before government agencies disclosed data breach details

The CDFW and California’s Wildlife Conservation Board sent a memo dated February 15 to existing employees. According to the notice, the departments immediately notified the California Highway Patrol upon discovering the breach. The patrol is investigating the incident, but did not confirm any criminal activity was involved and do not appear to believe the former employee acted with malicious intent.

According to the CDFW, no one was notified until last week because of a civil code stipulating that no information be released until law enforcement gives the OK. The civil code is meant to ensure that no criminal investigation is impacted by disclosures.

Neither agency provided a reason for the former employee’s actions .

The CDFW released the following statement: “CDFW regrets that this incident occurred and wants to assure you that we are reviewing and revising our policies, procedures, and practices to minimize the risk of future recurrence.”

The Sacramento Bee accidentally released California voter database

In an ironic twist of fate, The Sacramento Bee exposed a 95.1GB MongoDB on January 19. Part of the database contained registered voter information for the entire state of California, totaling 19,501,258 records. According to Kromtech Security, which discovered the breach, the database also contained:

  • Legislation data, e.g. bills, committees, voting results, etc.
  • Letters to the editor, reader opinions, restaurant reviews, etc.
  • Internal systems information, e.g. URLs, internal keys, user agent info and admin credentials
  • Data visualization information, e.g. local, commonly used baby names
  • API information, including subscriber and client data
  • State pay details

The database has since been removed. A similar database was leaked in December, on which Kromtech Security reported. A Shodan report revealed that the hackers left “Warning” and “Readme” notes in the MongoDB, implying it was an act of ransomware. It is unclear if the cyber crimes are related.

From the frontline, protect your information assets and customer privacy

For information security risk mitigation and data breach management initiatives to work, executives, management, personnel, and contractors must be cybersecurity aware. Staff awareness training is an effective way to meet data security needs, and regulatory and compliance requirements. Employee awareness can be costly, which is why IT Governance – a market leader in information security consulting – designed practical eLearning staff awareness courses.

From phishing and ransomware to GDPR awareness, IT Governance offers courses online that are less costly and more flexible than classroom courses. Each course is taught using non-technical, easily understandable language, and can be taken at any time designated by the program manager. Participants will learn:

  • Relevant definitions
  • Specific security and compliance requirements
  • Compliance-specific terminology
  • Procedures and policies application
  • Real-life examples, case studies and more

Find out more about our eLearning courses >>