Minnesota Employee Data Exposed by Lookout Services

Personal information related to hundreds of Minnesota state employees has been publicly available on the Web for months–unencrypted and without any sort of password protection. Minnesota entered into a two-year deal with Texas-based Lookout Services to use its “seamless Fail Safe I-9 E-verify process”, but all state agencies have been ordered to stop using the service following discovery of the data breach.

Exposed data included employee names, birth dates, Social Security numbers and hire dates for every Minnesota state agency using the service, as well as personal data from a variety of other Lookout Services clients.

Lookout Services is one of about 13,000 firms registered with the Department of Homeland Security (DHS) to process E-verify checks to determine citizenship and employment eligibility for prospective employees. However, Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services–the agency within DHS responsible for E-verify checks– responded saying “Is there a requirement to notify if there has been a security breach? The answer is no.”

The state of Minnesota, however, disagrees with  that philosophy. Minnesota is one of 46 states that does require victims be notified in the event of a data security breach. The Minnesota legislation requires that victims whose data has been exposed to unauthorized access be notified as soon as possible about the breach.

The responsibility for protecting the data ultimately lies with the companies or agencies it was originally entrusted to. Part of the process of engaging a third-party to handle such sensitive information is to ensure they have strong policies and procedures, and adequate security controls in place to safeguard the information. Apparently, Minnesota didn’t do its due diligence prior to partnering with Lookout Services.