How Jeb Bush Exposed 12,564 SSNs from a Decade Old Data Breach
In 2003, a PowerPoint presentation containing 12,564 Names, Social Security Numbers, and Dates of Birth was attached to an email sent by an employee of Florida’s Development Disabilities Program to then Governor Jeb Bush and 47 other recipients. In addition to Florida state government email recipients, the message was sent to email addresses at aol.com, comcast.net, juno.com, hotmail.com, netzero.net, att.net, earthlink.net, rr.com, mindspring.com, and bellsouth.net. Due to the historical challenges when attempting to precisely discover sensitive data and accurately classify it, it was extremely difficult to find and control sensitive data. But today, solutions can automate these processes and help organizations prevent sensitive data leaks such as the incident with Mr. Bush and the recent Sony attack.
Identity Finder researchers used its recently announced Sensitive Data Manager 8.0 software to automatically analyze the email messages and attachments posted to the Internet by Mr. Bush and quickly and precisely identify sensitive personal information. The results included the discovery of a single file that has exposed over 12,000 individuals to the long term risks of identity fraud. Click the image to enlarge it.
That file was a presentation was a single slide displaying a chart depicting the district level trends for a waitlist. That chart was pasted from Excel into PowerPoint as a “Microsoft Office Excel Worksheet Object,” which Microsoft states “provides access to the entire worksheet in the presentation, including data that you may want to keep private.” As you can see from the below screenshot, it only appears as if a picture of a bar graph exists, but in reality there is a wealth of underlying data from a large Excel file embedded into the PowerPoint file. This functionality makes it very difficult for organizations to control information but extremely easy for hackers and identity thieves to gain access to unintentionally exposed, sensitive data.
This example spotlights an extremely common data problem in organizations today: employees forget, or never knew, that confidential information exists causing their sensitive data footprint to unintentionally grow thereby creating additional targets for cyberattacks. This problem is extremely difficult to solve for enterprises with poor data discovery and classification tools.
As noted in the screenshot below, the chart is editable, not simply a picture. The underlying Excel data becomes visible when the chart is double-clicked:
Notice at the top it shows Column N, O, P, etc. By scrolling to the left, A, J, K, L and M appear. Columns B through I are hidden from view but are still there and contain a wealth of data:
By unhiding Columns B through I, multiple columns of sensitive data are exposed. These include Social Security Numbers, Last Names, Full Names, Middle Initials, and Dates of Birth; all the information needed to commit identity theft – such as filing a fraudulent tax return to claim a tax refund.
There are 12,594 people listed in these columns and their personally identifiable information has been exposed outside the State of Florida since 2003 and were exposed to the world when Mr. Bush posted his Outlook PST files (containing over 300,000 e-mail messages and attachments) online publicly. Those individuals should check their credit report immediately to see if they are already a victim, start monitoring their credit, and potentially place a freeze on their credit report.
Between this innocent mistake, the collateral damage from Sony, and the targeted attacks at JP Morgan Chase, Target, Home Depot, and the hundreds of other breaches in 2014, organizations must start to understand the critical importance of reducing their sensitive data footprint and shrinking the target! Businesses can no longer believe that they can block cyberattacks and keep the bad guys out of their networks.