A settlement of $264,000 has been agreed with the Vermont Attorney Genera and SAManage USA in relation to the 2016 data breach that resulted in the Social Security numbers of 660 Vermont residents being exposed online.
SAManage USA, a technology group that supplies business support services, did not secure an Excel spreadsheet that held information relating to the state health exchange, Vermont Health Connect.
The spreadsheet was link to a job ticket that was part of the firm’s cloud-based IT support system services and was agiven a unique URL. The URL could theoretically have been guessed by any individual and open using a web browser without any need for special authentication.
The spreadsheet was also indexed by the Bing search engine and was shown in the search engine results pages. Bing also displayed a preview of the contents of the spreadsheet, which clearly showed names and individual Social Security numbers.
Vermont Attorney General T.J Donovan said a Vermont citizen obtained the spreadsheet via the search engine listings and reported the violation to his office, leading to an investigation. The Vermont Attorney General’s office contacted AWS and asked for the document be taken down. Amazon then contacted SAManage USA to warn the firm of the breach. However, while an engineer was advised of the SAManage USA data breach, the incident was not reporteded to the appropriate personnel within the company.
The Vermont Security Breach Notice Act states that companies should alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was aware of the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be advised, shortly after the Attorney General contacted SAManage USA about the data violation.
It took almost two months for breach victims to be advised of the breach. Attorney General Donovan said that were it not for the actions of his office, the data breach would not have been reported.
SAManage USA has agreed to a $264,000 settlement to resolve the legal case and will adopt a thorough corrective action plan, which includes putting in place a comprehensive information security program to stop further privacy breaches.
In a media statement about the settlement, Attorney General Donovan stated, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws.” He went on to explain that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”