“I want to be clear: This was an attack on a third-party service provider. The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident,” McCarthy said.
They've been saying this since it hit the news at least a couple of weeks ago. Don't they bear some responsibility for choosing a crappy 3rd party service? Maybe the lowest bidder?
I ran into the same thing with the Kitsap County (also WA) passenger only ferry service ticketing system. They require a ton of personal information but they're using a 3rd party provider to process payments and reservations. Said 3rd party provider has(had?) a very open "privacy" policy (which should be called the "information sharing policy") which basically allowed them to share all the information with whoever they want for any reason. I contacted Kitsap Transit and they just didn't care. They don't see any problem, saying "everybody does that." When I pushed back, they forwarded me an email from the 3rd party where someone there claimed "we don't actually share it." and that was as far as I got.
It's such a shame that our own government can't treat personal information with respect.
The gov is absolutely responsible. They chose the vendors, they implicitly (or explicitly) approved their storage policies. The time range for these 'temporarily stored files' was Jan 1 to Dec 10 2020, aka a whole year.
Yes, but it's not sufficient to stop there. We need to ask the five whys -- why did this vendor get chosen? Why were the criteria developed that led to this vendor selection? etc. etc.
Yes, they are responsible to their users, but I'm going to guess that they have been put into a tough situation to modernize and increase in scale while also dramatically reducing budgets.
We can never give the government a pass because of one of their vendors. Allowed to continue, this provides for an easy circumvention of the constitution and due process.
Weirdly even with no legal recourse/repercussions for the abuse/misuse of personal information, people still love shifting blame for it, whether to their contractual partners or even users themselves. Almost like they know what they did was wrong.
The blame thing is largely down to the fact the unemployment office in WA is already under massive scrutiny for paying out almost a billion dollars in fraudulent claims last year.
Yes they’re absolutely responsible. It’s not the job of affected citizens to police the choices of this agency or account for such risks. They can reasonably expect competence and safe handling of their private information, and the consequences of third party choices should be borne by the agency who hired them. They are also free to pursue action against that third party but it is ultimately their problem to own. Unfortunately that may not help anyone if the third party just folds and declares bankruptcy when they face lawsuits.
All government contracts that outsource a service with private data to a third party should have an absolute requirement that the data itself is not to be shared without approval and that it had to be necessary for the service's functionality to do that sharing and that the data access logs must be under the direct control and review of a government auditor.
I know why this isn't how it's done: because those third party contractors are selling your data and that's how they get the low bid for those contacts.
many (probably most) of the government services in CA require some information leakage to google, at the very least via captcha, but often via search integration, sometimes analytics, occasionally via google forms/sheets/firebase/cloud as the backend. it's infuriating. we should not be subject to google for any gov services, period.
I also live in Kitsap and I'm curious what privacy issues you ran into? I'd normally try to use John/Jane Doe info for this type of thing but it sounds like they were requiring ID. Were you able to find a workaround?
The privacy issue was that the 3rd party that provided the ferry reservation system (https://www.kitsaptransit.com/fast-ferry-reservations -- temporarily suspended) had a privacy policy allowing them to sell/share/give any information entered into the reservation system with any other 3rd party for any reason (marketing, advertising, analytics, whatever). I would link the privacy policy but their reservation system is no longer active due to COVID I guess?
I looked it up in my email and I also found that later on they switched to requiring a social media (facebook, google, something else?) account in order to reserve a spot on the taxpayer funded, government-run ferry. I actually quoted part of the privacy policy in my (unanswered) email to kitsap transit:
Sharing Information
We may disclose information collected from and about you as follows;
...
With our marketing partners, advertisers, or other third parties who may send you information about their own products and;
...
Contacting the company pretty much never works, but I've found contacting my representative to be quite effective. They have much more weight when they then contact the company.
No. The system when originally started had more people than seats so they had an online reservation system. You had to reserve to get a seat, but you didn't have to actually pay to reserve (until some point later?). There is some info about it here but I guess they temporarily stopped doing reservations: https://www.kitsaptransit.com/fast-ferry-reservations
If I recall you had to provide name, address, phone number, and email address.
you and other citizens are being tracked via "public" transport. USA railways have done this for decades. It is a revolving door to law enforcement and commercial use of that data.
I got hit by this. If you did, you really want to close the bank accounts that were exposed and open new accounts.
My credit union was very easy to work with on this, but it has still been a pain in the butt.
I think we need disposable, single purpose bank account numbers like some services provide for CC transactions. I sure wish I had a fake proxy account ID between my real account and WA state.
I am always mind-blown when a story like this hits the news: How has a country so technologically advanced like the USA, not yet devised a single federal system where simple citizens can get information about accounts and loans opened in their names.
In France (my country), a single inquiry can net you all the information about the accounts opened in your name (which in turn helps you track down any other problem).
And then, how have the banking sector over there been forced to take a more procedurally secure approach to banking ?
Originally the USA was more akin to the EU than to France. Some here would love to see it become like that once again with more autonomy for the individual states. Because of this we probably won't see a national portal any time soon.
Brazil has a similar system called Registrato, run by the central bank.
Honestly though, I’m not a fan of such all-encompassing federal systems. I live in the US but I’m in Brazil right now (yes, at the worst possible time for one to be here, but my mom passed away) and I’m appalled at how often I have to give heaps of personal information for the smallest inquiries or purchases. It feels extremely invasive and freedom-averse. I was also shocked at how easily some places could pull all sorts of information on me in just seconds.
I certainly understand this. And it's a tradition I admire. However, a case may be made that some things should be mandated at the federal level. Particularly when it can for example ruin people's lives without their knowledge or will(e.g. Credit scoring, double jeopardy, slavery, even death penalties IMO).
With the breach happening in December 2020, and the State Auditors Office being aware of it on January 12th, I am curious to why the announcement page was not published until February 1st with notifications only being sent out now, over a month later. Seems like a rather sluggish response, unless I am misinterpreting the timeline. Is this a new wave of notifications, or they have just now identified the affected individuals?
There ought to be a "HIPAA" bill for PII that only certain, special, accredited companies can hold that class of data. Password hashes, social security numbers, DoB, addresses, phone numbers, bank account no., credit card no. all need to be held back and dispensed very, very carefully and in a limited fashion. Want to have a website with a login? No more individual passwords, only OAuth2 (or similar) SSO using one of the accredited providers.
Preferably, there should only be 2-3 providers, all nonprofits, run as public utilities, and heavily audited.
Some folks got emails / letter at least three days ago. The third party provider in question is the same secure file transfer provider that lead Kroger to notify it's employees of the breach throughout the past couple weeks.
With dozens of high profile attacks via the Accellion FTA vector, I wonder why this is not yet being treated as a crisis, and organizations proactively looking at their use of Accellion's deprecated products. They know it's vulnerable, so they're just sitting around twiddling their thumbs???
Is this a separate incident from the CA and WA unemployment offices getting scammed and making massive payments to Nigerians? Apparently the heads of those agencies somehow left their state level scandals for new positions in the Biden administration: https://www.foxnews.com/opinion/biden-reward-scandal-plagued...
They've been saying this since it hit the news at least a couple of weeks ago. Don't they bear some responsibility for choosing a crappy 3rd party service? Maybe the lowest bidder?
I ran into the same thing with the Kitsap County (also WA) passenger only ferry service ticketing system. They require a ton of personal information but they're using a 3rd party provider to process payments and reservations. Said 3rd party provider has(had?) a very open "privacy" policy (which should be called the "information sharing policy") which basically allowed them to share all the information with whoever they want for any reason. I contacted Kitsap Transit and they just didn't care. They don't see any problem, saying "everybody does that." When I pushed back, they forwarded me an email from the 3rd party where someone there claimed "we don't actually share it." and that was as far as I got.
It's such a shame that our own government can't treat personal information with respect.