Warnings issued after possible security breachby Sasha Aslanian, Minnesota Public Radio
St. Paul, Minn. — The state of Minnesota has directed all of its agencies to stop using a Texas company state officials hired to verify the identities of new employees.
A state official told MPR News that it is notifying some 500 employees that their personal data -- including names, dates of birth and Social Security numbers -- may have been accessible on the company's Web site.
For more than three months, state agencies have used Lookout Services of Bellaire, Texas, to verify that new hires are authorized to work in the United States. The state had paid the company $1.50 a name to run employee data through the federal Department of Homeland Security's E-Verify program, which confirms that a worker has legal status and a valid Social Security number.
This week, Minnesota Public Radio was able to access state employee data on Lookout Services' Web site without using a password or encryption software. Employee names, birth dates, Social Security numbers and hire dates were visible on the Web site for every state agency using the service.
On Thursday, Minnesota Management and Budget, the state office that handles employment verification, took precautionary measures. Spokesman Curt Yoakum said the state was unable to also access the records, but acted immediately to protect employees' data.
"All agencies were notified on Thursday to stop using the vendor system," said Curt Yoakum, the office's director of legislation and communications. "We are in the process of notifying approximately 500 employees whose data was potentially involved."
Data from a long list of private companies also was accessible on the Lookout Services site. MPR News alerted the company to the problem, but as of late Thursday afternoon, the company had not reacted to the state's decision to suspend the service.
Lookout Services confirmed an earlier security breach occurred in October. CEO Elaine Morley said that breach occurred because a Lookout Services employee had used a Web address at an online education seminar that gave access to real data.
Company attorney David Person said its officials plugged "the hole" after that incident but did not alert clients whose employees' data might have been viewed.
"As far as I know, [the company] was investigating how they got in," Person said.
Lookout Services did not inform the Department of Homeland Security about the lapse because it did not have to.
"Is there a requirement to notify if there has been a security breach? The answer is no," said Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services in Washington. It's part of the Department of Homeland Security that runs E-verify.
State officials have sought to verify employee status since 2008, when Gov. Tim Pawlenty signed an executive order requiring E-verification for all executive branch employees and large government vendors and contractors. In June, a Legislative Auditor's report said the administration still wasn't checking its own employees.
One of the hang-ups: Administration officials were concerned about the security of employees' private data.
The state then inked a two-year deal with Lookout Services, which works with more than 50 employers nationwide. The company's Web site describes a "seamless Fail Safe I-9 E-verify process."
Lookout Services is one of more than 13,000 designated agents registered to run E-verify checks for other employers, Wright said. Some designated agents log into the government's E-verify system directly. Others, like Lookout Services, build their own software, he said.
The department was not aware of any issues or problems with Lookout Services and its software met technical requirements, Wright said.
Minnesota is one of 46 states with a Notification of Security Breach Law. It requires employees whose personal information has been accessed by an unauthorized person be notified "in the most expedient way possible."
The watchdog group that helped push for these laws, said the potential security issue with the company should send a message to authorities.
Consumer's Union urges consumers to ask their human resources departments who has access to their Social Security numbers and what they're doing with them.
Gail Hillebrand, a senior attorney with Consumer's Union said that passwords --even complicated, non-intuitive, unguessable passwords -- are not enough to protect sensitive information
"Companies should not keep particularly a Social Security number," she said. "Best protection is if it is not there anymore. Encrypt it. If they don't protect you, at least they have to tell you about it."
Now the state must tell hundreds of employees that their information was at risk.
One of them is Amy Buckmeier, who since late October has worked as a part-time cook at the governor's residence. She was surprised to learn that her personal information was available online.
"It's pretty disconcerting," Buckmeir said. "I've been the victim of identity theft before with my debit card so I've been through the whole thing and knowing that that information is out there is pretty scary."
- All Things Considered, 12/11/2009, 5:50 p.m.