The San Francisco Employees’ Retirement System has suffered a data breach, with data belonging to some 74,000 members likely stolen.
The data breach came via the third-party web development firm 10up Inc. which hosts the website for SFERS. 10up placed a database of 74,000 members dating from August 2018 on a test server that was hacked Feb. 24. The breach was not discovered until March 21.
Data potentially stolen includes full names, home address, dates of birth, beneficiary details, including name, date of birth and relations as well as SFERS’ website username and security questions and answers. For retired SREFS members, the information also included IRS forms and bank routing numbers.
The breach notice from SFERS states that 10Up has no evidence that the member details were removed from the server but likewise cannot confirm that the data was not viewed or copied.
In what has become a textbook response to data breaches, SFERS has reset all user passwords and is offering members a free year of identity theft protection from Experian IdentityWorks.
“The SF Employee’s Retirement System breach is a good reminder that even applications on test systems need to be secured against threats, whether they are internal (bad actors in the organization and its partners) or external (coming from hackers trying to exploit vulnerabilities),” Jayant Shukla, chief technology officer and co-founder of web application security form K2 Cyber Security Inc., told SiliconANGLE. “Vulnerabilities, misconfigured servers and misused credentials are among the top reasons systems get breached.”
Trevor Morgan, product manager at data security specialist comforte AG, noted that hackers will always find a way through or around perimeter security.
“However, by taking effective measures to protect data in ways that go beyond ordinary encryption and perimeter defenses — measures such as tokenization — the detrimental impact of these breaches can be eliminated,” Morgan said. That’s because, he added, “tokenization replaces sensitive data with harmless and representational tokens, so no matter who gets ahold of that data, and no matter where that data travels, it prevents any inherent meaning from being conveyed. Sensitive information remains hidden, and the data becomes worthless to those who would steal it, sell it or use it to compromise others.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.