Enquirer Herald

Security breach detected on York County government Web server

York County officials detected an intrusion into a webserver containing personal information on thousands of job applicants and vendors, they announced Friday.

The breached webserver contained a database with thousands of names and social security numbers of current, former, and prospective job applicants and some vendors.

On Friday the county mailed out 16,981 letters to potential victims, including about 230 vendors, said Joel Abernathy, director for York County's information technology department.

County officials discovered the intrusion during routine maintenance on August 29, 2011, he said.

The server breached contained an old backup database of an old online application, "and that's where the majority of (the names) were," he said. "The database could be 12 to 15 years old" and contained about 12,500 names.

The remaining names came from a newer database collected up until August 29, when the county detected the intrusion and shut the database down.

County officials made a copy of the entire server and sent it to the S.C. Law Enforcement Division, the S.C. Sharing & Analysis Center, and local authorities for investigation.

Forensic testing showed that the vulnerability was in an application on the county's website. Abernathy said the county has been working to "tighten up" the website's security, rewriting pages and implementing new security measures.

County Manager Jim Baker said the county has done some "spot checking" for unauthorized uses of the information by having employees run credit checks, and there's been no evidence that any of the information was misused.

There's really no other way to determine whether any information was taken or has been misused, he said.

The delayed notification to potential victims was in part to give the county time to identify the problem and fix it, Abernathy said.

State law also allows for a delay in notification if law enforcement sees notification as a potential security threat.

Abernathy said authorities traced the hacker overseas, but couldn't provide a more specific location.

"It's embarrassing to us," Baker said Friday. "We don't ever like to see that happen to any data that the county holds. I wish I could say there's a foolproof way (to prevent it), but I can't."

To find out more regarding this matter, please visit York County’s website at www.yorkcountygov.com/notification or by calling (803) 818-6891 for assistance, Monday through Friday 8 a.m. to 5 p.m.

Read more here: http://www.heraldonline.com/2012/05/11/3966511/york-co-government-finds-security.html#storylink=cpy