Connecting state and local government leaders
The February incident shows why routine log reviews by IT security personnel are important.
An Oregon state employee has been placed on paid administrative leave and could face potential criminal charges for an unauthorized transfer of Department of Revenue records on approximately 36,000 people to personal cloud storage.
The department said that officials took quick action when IT security detected the incident.
Here’s what happened, according to an Oregon Department of Revenue statement released Friday:
On February 21, 2018, a Department of Revenue employee uploaded work files to a personal cloud storage account. Department of Revenue's information security staff identified the upload through routine log reviews. When the incident was detected, the employee's computer was seized and all network accesses and credentials were immediately disabled. The employee was duty stationed at home and placed on paid administrative leave pending conclusion of a conduct investigation.
Department staff immediately launched a security investigation to determine the scope of the incident and the specifics of the information involved. Over the next several days, all files were deleted from the personal account. No evidence exists indicating the information was viewed or accessed by anyone other than department staff.
While all data was successfully retrieved, it took time to thoroughly review the information involved and determine the number of potentially impacted individuals, as there were many duplicate records.
“By policy and by law, we can’t have employees move confidential taxpayer information,” a Department of Revenue spokesman, Derrick Gasperini, told Oregon Public Broadcasting. “For us, the good news is that our existing procedures were sound. Our detection systems worked.” The employee's apparent intentions with the taxpayer records are at this point unclear with Gasperini telling OPB that the state may have more information to share about the situation by April 4.
The Oregon incident is another reminder that state and local agency employees need to be careful with the sensitive data they hold. Likewise, IT security personnel need to keep their guard up for internal breaches, whether they're intentional or not.
In December, the California Department of Fish and Wildlife discovered that a former employee improperly downloaded “personally identifiable information” of department employees, including Social Security numbers and some home addresses, “to an unencrypted personal device and took the data outside of CDFW’s secure network,” according to notice about the incident sent to impacted employees in February. The incident prompted a California Highway Patrol investigation, though the state did not have information to suggest the former employee had malicious intent.
Michael Grass is Executive Editor of Government Executive’s Route Fifty and is based in Seattle.