Trojan Compromises Oregon Taxpayers

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

Whitelist sites they can and cannot use

[linzeal]

There is no reason anyone handling SS numbers should be given this sort of carte blanche access to their computers.

Re:moron!

[megaditto]

Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software,[...] Actually, this is not surprizing at all. Remember all the red tape envolved!!!! To deploy 'web filtering software', a request has to be generated, afeasibility study needs to be performed, a 'validation' process has to be followed, SOPs have to be written, then the whole thing re-certified in its entirety (used to be, you would need to re-certify each component again after modifying one part). Of course the reason you they Windows is that NT 4 and 5 were 'certified' by the govt... if the site admin decided to bend the corners by installing linux on the desktop or router, he's be out of a job and possibly in jail! Frankly, they don't get paid enough for it.

You don't need a trojan ...

[Nicolas1979]

I just saw on CNN that some stupid government people in arizona and virginia opened up a public record accessible online. Maricopa county http://recorder.maricopa.gov/recdocdata/GetRecData Select.asp And the one who complain Virginia Watchdog http://www.opcva.com/watchdog/

7000 pages?

[afaik_ianal]

More than 1,300 people face identity theft after a state employee let in data-stealing spyware.

and

The Trojan horse gathered the equivalent of 7,000 text pages of data. But O'Meara said his staff spent weeks poring over the data and found no tax files or financial information. He said it was limited to Social Security numbers, names and addresses.

So that's ~5.3 "pages of text" per person they got only the SSN, name and address for. Either people in Oregon have really long names and addresses, or something else got sent with that data. I smell a cover up! :)

Re:Indicitive of a larger problem

[mr_zorg]

What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

You seem to be forgetting about the developers who design these things and the reports that the idiot business people run. Only 2,200 records were compromised? Sounds to me like a sample data file for a developer. I'm a developer and I have real data on my hard drive. Of course, I like to think I'm smarter than downloading sketchy files from a porn site on my work machine. But I'm only human, I may screw up some day, who knows.

An information technology security officer!!!??

[Zero__Kelvin]

Did the "Information Technology Security Officer" happen to say why they were running an OS and application configuration that would let this happen in the first place?

Noticeably missing from all of the articles I have seen is the name of the OS that was compromised. Is that because the news sites don't know there is more than one OS, because the reporters are incompetant, because Bill Gates will fire them if they mention it (think msnbc subsidiary), or because the reporters figure it is patently obvious that it was Windows since the compromise happened in the first place?