Cumberland tightens website security after lapse
CUMBERLAND — After discovering the names and Social Security numbers of nearly 300 employees were displayed on its public website, the town is taking measures to ensure against a future security lapse.
Town Manager Bill Shane told the town's employees in a Jan. 10 letter that a 2008 document revealing the names and Social Security numbers of 275 workers in the payroll system at the time had been discovered on the website by an employee doing a Google search. The spreadsheet document was an unemployment insurance report filed quarterly with the Maine Department of Labor, Shane said.
He said the town believes the posting was accidental and not malicious.
The town has hired an engineering group to "come in and do an evaluation of our protocols as well as our (system) securities that we presently have in place, and recommend any changes, updates, upgrades to what we have, so that this won't happen again," Shane said Saturday.
The evaluation should cost less than $3,500, he said. The town has also offered to pay for three months' worth of credit checks for employees who want them. That cost would average about $45 an employee, which would mean an expense of more than $12,000 if every worker took advantage of the offer.
In the meantime, the town has implemented an immediate change in its web-publishing protocol. Now, when a document is posted, Shane and three other department heads must be notified.
Once the document was found, the town shut down its website and contacted search engine companies about removing it from their sites. It took about six hours for the report to be removed from the sites, and about another 24 to remove it from the sites' caches.
"It was 30 hours of hell," Shane said, but "we got through it."
He wrote in the Jan. 10 letter that "as of this morning, we have verified that the document and all links to the document have been deleted from all sites and searches in which it may have been accessible."
Finding out how the document was posted could be impossible, Shane said, noting that the town has changed websites twice in recent years, and that the 2008 version no longer has the information the town would need to track the source.
"There's no real set of fingerprints," he said.
Reaction to the matter has been mixed, Shane said, adding that "anxiety always occurs when you just don't know" what could happen with the information.
As of Saturday, no employees had reported any identity theft issues regarding the matter, he said.
Councilor Shirley Storey-King, who has been an employee of the town since before 2008, said Monday that she is not that concerned about the incident. "I grew up in the age where our Social Security number was our student ID number," she noted.
Storey-King said there are other ways people can be much more at risk, such as through credit card theft.
"If you're vigilant, and you work with reputable people, then you'll be OK," she said.