The US state of Georgia has allowed a remote attacker to
access a database containing the details of 570,000 members of the
state’s pension scheme.
The cause of the breach has been blamed on an unpatched flaw in
one of the state’s security programs, although the supplier of the
software has not been disclosed.
The attacker is said to have breached the system towards the end
of February, using a variety of hacking tools to access the server
hosting the database.
Georgia said it was in the process of fixing the security flaw
in the system, before the hacker got there first and took advantage
of the problem when the supplier publicised the problem and advised
a fix.
Although there is no evidence so far that the attack has led to
any of the information being used for identity theft or other
fraud, the state has contacted 180,000 affected employees.
The state doesn’t have contact details for the others affected,
mainly those who are former employees, and is relying on media
reports to alert them to the potential problem.
Earlier this month it was disclosed that the state of Florida
had unwittingly released the personal details of tens of thousands
of its employees to an offshore Indian outsourcer.
This outsourcer had wrongly been sub-contracted to complete data
indexing work, in breach of the contract held by the main
contractor.
Florida was forced to contact the employees affected by the data
disclosure.