Company that exposed private Minnesota data goes on offensive

A private company at the center of Minnesota’s latest data security breach says the viewing of private data online — including by the Minnesota Public Radio reporter who blew the whistle on the wide-open data — violated federal law and it’s suing the state.

In a news release posted on the company’s Web site, Lookout Services is pushing back against revelations that it left private data of about 500 Minnesota employees exposed:

Lookout Services Inc. filed suit against The State of Minnesota on December 10, 2009, but did not inform The State of Minnesota at the time the lawsuit was filed. In days prior to filing suit, Lookout Services notified The State of Minnesota with concerns about conduct of numerous attempts at unauthorized intrusions involving computers with IP addresses belonging to The State of Minnesota and Minnesota Public Radio.

“We told the State of Minnesota we were requesting an investigation, due to concerns that federal laws were being violated,” Morley said. “After expressing concerns to The State of Minnesota, the State agreed to instigate an investigation, but we felt that The State of Minnesota was not taking swift action, so we began blocking IP addresses and shutting down users.”

The release, however, did not say what the company was suing the state for. Nor is it clear whether the company is holding MPR liable for proving that the data was exposed to the public. E-mails to the company attorney have not yet been returned.

MPR reporter Sasha Aslanian broke the story on Friday that the data has not been properly secured by the company. State agencies have used Lookout Services of Bellaire, Texas, to verify that new hires are authorized to work in the United States. The state had paid the company $1.50 a name to run employee data through the federal Department of Homeland Security’s E-Verify program, which confirms that a worker has legal status and a valid Social Security number, Aslanian reported.

Aslanian said she was able to access state employee data on Lookout Services’ Web site without using a password or encryption software. Employee names, birth dates, Social Security numbers and hire dates were visible on the Web site for every state agency using the service.

MPR News officials have not yet commented on the situation.

Update 11:37 a.m. – MPR News Director Mike Edgerly issued this statement:

We are aware of Lookout Services allegations concerning an investigative report by MPR’s Sasha Aslanian. Sasha’s story exemplified good, solid reporting and we stand by it.

  • Greg Hruby

    A state contract would have clearly identified what data was classified private and that the data must be protected. Once the company agreed to the contract they became responsible for treating the data appropriately and under the requirements of the contract and state/federal law regarding data privacy. The state agency has to both review and approve the product provided and to test it for problems and issues. A review should look at the diligence on both sides and the quality of the contract language they were operating under. In geneal, the company has some serious issues for its marketing department – they need to be able to explain how they built a protected system that no illegal action to see private/secure data.

  • Jon

    unauthorized access of a computer system… there are some very vague laws around computer hacking… and following the letter of some of those laws, simply viewing data you know you aren’t supposed to is illegal…

    laws vary from state to state, but computers are so new, and the laws around them are often defined by those who don’t understand computers or information technology at all. not knowing the full story, I’d not be surprised if some laws were violated accessing that data.

  • bsimon

    Didn’t Sen Coleman’s campaign try a similar tactic when their data was breached?

    Lookout Services’ move seems to be PR oriented: deny their own culpability & blame the whistleblower. I suspect the courts will not find their arguments persuasive.

  • John

    Quote: “Sasha’s story exemplified good, solid reporting”

    By not speaking with any computer security experts? And instead talking to someone from a consumer’s union to discuss a breach of a B2B application used for data on employees, not consumers? Neither good nor solid if you ask someone who knows about this sorta thing.

    Nevermind the fact that mention of “Data from a long list of private companies also was accessible…” is pretty much added as an after-thought.

  • Gardoglee

    This seems like a very odd case, since it would seem that the company which held the data was responsible for the security, not the State of Minnesota. However, after decades of working with systems for various states it occurs to me that this may well have been an access through a State system to the private system, in which the vendor provides a secured gateway to the State, and the State is responsible by the contract and by the law for the user “authentication and authorization” functions, that is to prove the identity of who is trying to access, and to decide who can get access to the gateway through their system. Techie talk, yes, but it is increasingly the way these systems are being built. There are also other variations of “federated security” in which responsibility for various parts of the security are distributed between the two sides of the transaction. All of which is to say that it is not obvious from the scant details we have in the news story exactly who messed up here. This will be a case for the court to find the appropriate technical experts to look at the design, the contract, and applicable state and federal statutes. It does seem odd to file a lawsuit and not inform the entity against whom you are filing. It also seems odd that if the State was responsible for the security that the reporter was able to access data for employees of other organizations. However, don’t rush to judgment with incomplete information. In a data breach case there are usually a series of mistakes which led to the breach. Who did or did not do what may legitimately take a while to sort out.