Metro security breach: WMATA moves to hide personal information
A day after 7 On Your Side reported that a security flaw on WMATA.com's career website possibly allowed anyone to access the personal data of applicants to the agency, we are learning more about Metro's response and new concerns from identity-theft experts.
On Wednesday, a viewer who had applied for a job at Metro contacted 7 On Your Side to disclose a potential security beach on the site. It turns out that with a little click-through and someone's email address, a user could access a trove of personal data.
A user could do so simply by entering that person's address into a Refer A Friend box on the site. If that person had applied for a job at Metro, in two clicks, you had access to their home address, phone numbers, salary preferences, resume and other information.
"This is something that could be very serious in the hands of the wrong people," Virginia-based cybersecurity expert Jack Mannino said. "The information you can take from this...you can do quite a bit with identity theft."
After ABC7 notified WMATA of the breach, they shut down the Refer A Friend feature and said in a statement that the error "did not allow for the release of sensitive personal information, such as employment records or social security numbers."
However, Neal O'Farrell, the executive director of the San Francisco-based Identity Theft Council, says a potential thief doesn't need much to harm you.
Responding to that Metro statement, he told 7 On Your Side's Kris Van Cleave, "I think it's troubling they took a security hole so lightly," O'Farrell said via Skype. "The reality is you can do a lot of damage with any personal information. You only need a user's email address."
WMATA refused requests to talk on camera, but after our follow-up reports Friday, and repeated requests, WMATA Spokeswoman Caroline Lukas acknowledged 13 current Metro employees and about 30 applicants had the potential to have their information viewed because of the flaw 7 On Your Side discovered. She says those people have been notified by email of the situation.
In an email Lukas writes, "a review of logs showed that these were the only individuals whose information could have potentially been viewed."
Friday evening Lukas provided ABC7 a better sense of how the agency responded after 7 On Your Side alerted them to the problem. She says WMATA removed the Refer a Friend feature within twenty minutes of being notified. Based on their investigation so far the only confirmed cases where information was accessed was the examples provided by WJLA-TV.
Experts weigh in
Karen Barney, the Identity Theft Resource Center’s Program Director says this breach did not meet the legal definition of the term ‘sensitive personal information.’ The phrase used in Metro's statement is often based on a state’s data breach disclosure laws. In this case, “it does not reach the level of breach notification laws,” she said.
However she and four other Identity Theft experts consulted for Friday's report say there is still the potential for identity theft based on what 7 On Your Side was able to access.
“That’s significant information to phish somebody with,” Barney said.
Several of the experts we talked to said agency’s statement could have gone further.
“For someone to say this isn’t really sensitive information, they just don’t get” says Adam Levin, Chairman of Identity Theft 911 and the former consumer affairs director for the state of New Jersey, “with a lot less information the bad guys are capable of accumulating a lot more information.”
“Metro is incorrect. This is the kind of information identity thieves troll for all the time,” says Rob Douglas, a Colorado based Identity theft expert.
Douglas worries that about phishing scams, “What the identity thieves will do, now they have enough information—home address, email address…I now call you and I’m metro, I’m WMATA and I pose as one of the employment people there and now I begin applying the rest of the information.”
Neal O’Farrell, from the Identity Theft Council in San Francisco, agrees that is a potential danger if someone is “tricked into dropping their guard because they already had a relationship” with WMATA.
O’Farrell wrote in an email to ABC7’s Kris Van Cleave this issue "was an easy mistake to avoid if the organization had given any real thought to security; and it’s absolutely wrong, and usually an effort to minimize a breach, to suggest that personal information like a name and address, or email address, is not sensitive.”
O’Farrell adds, that its possible hackers will try to take advantage of the coverage of this security breach to target people with phishing schemes by pretending they are Metro and warning people about an information breach. He suggests being cautious if you are called or emailed and asked for sensitive information like your Social Security Number.
Here's Metro's statement:
Upon being notified of the condition, we immediately removed the "refer a friend" feature from our website and will work with the software vendor to make appropriate fixes before redeploying it. It is important to note that this error required knowledge of an applicant’s email address, and did not allow for the release of sensitive personal information, such as employment records or social security numbers. The "refer a friend" feature had only been on our website for about two months. The FY12 approved budget authorized 11,319 positions.
Additional Web Resources