A private company at the center of Minnesota’s latest data security breach says the viewing of private data online — including by the Minnesota Public Radio reporter who blew the whistle on the wide-open data — violated federal law and it’s suing the state.
In a news release posted on the company’s Web site, Lookout Services is pushing back against revelations that it left private data of about 500 Minnesota employees exposed:
Lookout Services Inc. filed suit against The State of Minnesota on December 10, 2009, but did not inform The State of Minnesota at the time the lawsuit was filed. In days prior to filing suit, Lookout Services notified The State of Minnesota with concerns about conduct of numerous attempts at unauthorized intrusions involving computers with IP addresses belonging to The State of Minnesota and Minnesota Public Radio.
“We told the State of Minnesota we were requesting an investigation, due to concerns that federal laws were being violated,” Morley said. “After expressing concerns to The State of Minnesota, the State agreed to instigate an investigation, but we felt that The State of Minnesota was not taking swift action, so we began blocking IP addresses and shutting down users.”
The release, however, did not say what the company was suing the state for. Nor is it clear whether the company is holding MPR liable for proving that the data was exposed to the public. E-mails to the company attorney have not yet been returned.
MPR reporter Sasha Aslanian broke the story on Friday that the data has not been properly secured by the company. State agencies have used Lookout Services of Bellaire, Texas, to verify that new hires are authorized to work in the United States. The state had paid the company $1.50 a name to run employee data through the federal Department of Homeland Security’s E-Verify program, which confirms that a worker has legal status and a valid Social Security number, Aslanian reported.
Aslanian said she was able to access state employee data on Lookout Services’ Web site without using a password or encryption software. Employee names, birth dates, Social Security numbers and hire dates were visible on the Web site for every state agency using the service.
MPR News officials have not yet commented on the situation.
Update 11:37 a.m. – MPR News Director Mike Edgerly issued this statement:
We are aware of Lookout Services allegations concerning an investigative report by MPR’s Sasha Aslanian. Sasha’s story exemplified good, solid reporting and we stand by it.