Maryland state security sloppiness exposes personal data

Maryland state security sloppiness exposes personal data

Summary: Careless practices by the State of Maryland have exposed the data on thousands of background check forms to even the most casual hacker.


Securing data can be hard work. It can be complicated. It can be expensive. And then sometimes you see people putting so little effort into it that there's just no excuse.

An example of this was sent to me by a reader. In anticipation of new gun control laws scheduled to take effect October 1, tens of thousands of citizens of Maryland applied for gun permits, which requires a background check.

The Maryland State Police, charged with performing the background checks, don't have the resources to do it soon enough, and, according to the Baltimore Sun,  "Gov. Martin O'Malley said ... that the state is mustering all necessary resources" to complete the task in time.

"Mustering all necessary resources" in this case means "cutting corners."

First the state scanned the forms. Then, in order to expand access to the data necessary to perform the background checks to over 200 data entry personnel in non-law enforcement agencies, the state set up a publicly-accessible web site with a single shared username and password.

The data entered in the site included driver's license numbers, social security numbers, addresses and other personally identifying information.

The site is no longer publicly-accessible, but the cat is out of the bag. Below is log of http traffic from the site:


The Baltimore Sun article linked to above did not recognize any privacy issue. It focuses only on the problem of the backlog, which is certainly a problem, but it also underscores the lack of general concern for the privacy problem.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Security Literacy

    The problem with non-tech reporters covering security stories is they do not understand computers and computer security. They are users who hopefully are following security best practices for a user but that is the limit of their understanding. This problem actually extends to any somewhat technical issue for these reporters.
    • Are you trying to imply something?

      Your comment seems like a non-sequitur
  • NSA

    Obviously it was the NSA cracking the originally encrypted data and reposting it so that their assets could access it.
  • Security iliteracy

    A publicly accessible website??? You have got to be kidding me. And with access granted to non-vetted personal? I'm so glad to see that Governor O'Malley and the state are doing their "due diligence" re securing and protecting the private data of Maryland's citizens.

    Can anyone say lawsuit? ;)