Maryland state security sloppiness exposes personal data

Securing data can be hard work. It can be complicated. It can be expensive. And then sometimes you see people putting so little effort into it that there's just no excuse.

An example of this was sent to me by a reader. In anticipation of new gun control laws scheduled to take effect October 1, tens of thousands of citizens of Maryland applied for gun permits, which requires a background check.

The Maryland State Police, charged with performing the background checks, don't have the resources to do it soon enough, and, according to the Baltimore Sun,  "Gov. Martin O'Malley said ... that the state is mustering all necessary resources" to complete the task in time.

"Mustering all necessary resources" in this case means "cutting corners."

First the state scanned the forms. Then, in order to expand access to the data necessary to perform the background checks to over 200 data entry personnel in non-law enforcement agencies, the state set up a publicly-accessible web site with a single shared username and password.

The data entered in the site included driver's license numbers, social security numbers, addresses and other personally identifying information.

The site is no longer publicly-accessible, but the cat is out of the bag. Below is log of http traffic from the site:

The Baltimore Sun article linked to above did not recognize any privacy issue. It focuses only on the problem of the backlog, which is certainly a problem, but it also underscores the lack of general concern for the privacy problem.