it crawls across your site, also crawls across attachments," Schmitt said. "That's where our problem came: that it was on Google. Not that it was actually posted on our site, but that Google picked it up."
"I think the attachment was there less than 10 days, so once we found out about it we took the information off the Web site," Schmitt said. But the city had to contact Google to get the technology giant to remove the searchable information from its indexes, which didn't happen until weeks later.
Lynchburg no longer automatically adds attachments to RFPs and has since placed data-sharing and handling procedures under review, she said. The city had already been trying to improve IT security, but the breach made the issue more pressing.
"I think an incident like this caused us to have a little bit more urgency in getting things put together," she said. "It also is, unfortunately, one of the best examples of why people need to pay attention to things like security policies, because they talk about how you manage data in a global sense."
After the Exposure
Sure, data breaches can be horrific, but depending on the information that's compromised, they might not necessarily be earth shattering.
"In my opinion, exposing Social Security numbers is not the gravest breach in the world. Because all it takes is an Internet browser and a credit card to get anybody's Social Security number in a matter of seconds," Mitnick said.
The chief targets are medical, financial, bank account and credit card information.
"You don't have to be a private investigator. You don't have to be law enforcement," he said. "All you really have to know is where to look, where this information is being sold legally."
Mitnick wouldn't disclose specific information brokers or databases, but he may have been referring to sites like www.secret-info.com, which was mentioned in a 2005 Newsmax.com article, Social Security Numbers Are for Sale Online. The site offers Social Security number searches for $45 by credit card. A thorough Google search turns up similar brokers that have varying degrees of checks and balances to ensure that requestors are legit. Bestpeoplesearch.com offers Social Security number searches for free from "publicly available data systems" but says a requester must provide documents to substantiate the request and that the people whose numbers are searched will be notified.
It would help ensure the safety of Social Security numbers and other personal data if local governments prevented breaches. Citizens expect cities, counties and states to safeguard their privacy.
In Verizon's forensic work, Brohm said employees who caused accidental breaches are often terminated, depending on the severity of the mistakes.
"As we're progressing with an investigation, we may find that some individual may no longer be a point of contact because they were let go due to a breach," Brohm said. "It makes our job that much tougher because when you usually go onsite for these things, there's a lot of finger pointing. A lot of politics takes place in the background because people are afraid that they're going to be terminated at the end of it."
Schmitt said "appropriate disciplinary action" was taken against the employees in Lynchburg who were found responsible for the city's breach, but she would not say exactly what that action was.
In Brohm's opinion, organizations must enforce existing data-handling procedures so employees don't become lax.