Thanks to Michael Specht, author of My Blog of HR and Technology Stuff, for pointing me to another identity horror story which is right up there with the ChoicePoint Saga and other tales from the identity crypt.
You can read the about the whole affair in a really clear whitepaper from Think Computer.
Yes, my hearties, prepare to shiver and twist as you learn how…
PayMaxx has unwittingly created a perfect example of how a security breach is possible over a connection that is technically secure.
Upon discovering the vulnerabilities in PayMaxx’s system and their extent on February 7, 2005, Think immediately notified PayMaxx that the problems were of a serious nature, and recommended that the company hire a security consultant to remedy them if it was unable to fix them on its own. After more than two weeks, PayMaxx issued no formal response and took no action, leaving the security holes wide open.
More ghoulish details:
Any employee, whether terminated, presently working, on leave, or even affiliated with a company that was no longer a PayMaxx customer, could therefore look up the supposedly confidential W-2 of any other onetime PayMaxx customer.
By simply changing one number in a hyperlink on PayMaxx’s “secure” web site, it was possible to scan through PayMaxx’s entire W-2 database for the year 2004. PayMaxx stored each employee’s data record sequentially in a table—a perfectly normal and acceptable practice, and one that Think uses frequently in its own software, but also one which made it possible to always guess the ID of the next record by simply adding 1.
Statements remained on its corporate site such as, “At PayMaxx, we are committed to maintaining your privacy and data security.” Interestingly enough, as recently as February 18, 2005, Attorneys General in thirty-eight states signed an open letter to ChoicePoint, Inc. protesting that company’s inaction after it was notified of a remarkably similar problem.
It shocks that PayMaxx apparently didn't react “full speed ahead” to rectify the situation it had created.
But then there are also deep technical implications to consider. Have you heard my audio interview with Carl Ellison? This is the perfect example of what he means when he says that security can't be done in layers, but needs a “diagonal” across all the layers to provide a holistic solution.