E-mail exposes employees' payroll
security numbers and other payroll information were included in an unencrypted e-mail, according to Drew Malcomb, a Department of Interior spokesman, notes the Los Angeles Times.
The 4 May e-mail was sent by a contractor at the department's National Business Centre, which manages payroll, human resources and financial reporting for dozens of federal agencies, Malcomb said.
Interior Department policies require that sensitive personnel information be encrypted when e-mailed. But the contractor neglected to encrypt the e-mail, and the software in place to catch such errors did not work properly, Malcomb said.
Affected employees were notified last week and were offered 60 days of free credit monitoring, reports CompliancEX.
“There is no indication that the data was intercepted,” Malcomb said, adding that personal information was exposed for about 60 seconds “during the time the e-mail was being sent, from the moment when the person hit send to the time the other person gets it in the inbox.”
“It was only a 60-second window of vulnerability, but 60 seconds is too long,” he said. The National Business Centre has had other data security incidents.
The employee responsible is now barred from dealing with personal data, according to Next Gov.
Interior has opened an investigation into the matter and will hold accountable workers who were at fault, Malcomb said.
In addition, all outgoing files with sensitive information now must be approved for release by federal supervisors before they are sent over the Internet, he noted. Every customer support agent also will be required to undergo more computer security training.
Such exposures of unencrypted personal information go unnoticed almost daily because they are not reported, according to John Gilligan, a member of the Obama-Biden transition team who helped formulate the administration's IT policies in defence and intelligence.
Share