Modernization

North Carolina data breaches expose internal documents, personal records

Two unrelated breaches exposed both official working documents and the social security numbers of agency customers.

April 4, 2017

North Carolina state government experienced two data breaches, according to reports released Tuesday.

Security research firm MacKeeper reported a statewide data breach that occurred last month exposing internal documents spread across the offices, divisions and departments of Administration, Health and Human Services, Medical Assistance, Cultural Resources, Public Safety, State Controller, State Budget and Management and Information Technology. Offline, physical boxes containing personal information of up to 24,000 customers of the North Carolina Division of Motor Vehicles were erroneously disposed, according to a notice issued by the division.

The online data breach, which left sensitive, internal documents marked “for official use only” exposed on the public internet until it was found on March 18, was discovered by a security researcher through a Google search that included the URL of the state’s cloud storage provider.

The breach discoverer said that while the state disabled access to the file repository after discovery, some documents still remain cached online and that the state has not contacted him for questioning.

A spokesperson from the Department of Information Technology (DIT) told StateScoop a slightly different story.

“DIT’s review concluded that the documents identified, one of which was a training slide deck, did not contain sensitive data and were properly vetted through external agencies prior to publication on the site,” the spokesperson said. “The For Official Use Only (FOUO) marking was inaccurate and the information was publicly releasable.”

The improper document disposal included records collected between Sept. 1, 2016, and March 7, 2017, according to the Division of Motor Vehicles’ notice. The DMV reported that the documents were supposed to have been shredded, but were marked as regular trash. The forms included in the boxes included insurance verification, driver current history detail and voter registration, which contained names, addresses, dates of birth and social security numbers.

The DMV’s response was to retrain staff on proper document disposal and discipline the responsible office manager at the North Raleigh Driver License Office on Spring Forest Road.

In an email to StateScoop, a spokesperson said: “As of this morning we have not been contacted about any incident in which personal information is possessed by any individual or group. The boxes in question are believed to be buried in a landfill, but we sent letters to customers of that specific office going back to September to err on the side of caution.”