State agency warns of security breach

California's Employment Development Department alerts some workers that their personal information may have been accessed by an intruder, CNET News.com has learned.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
Ina Fried
2 min read
Some California workers may have had their salaries and other personal information compromised after someone gained unauthorized access to a state agency's computer.

The California Employment Development Department has begun warning some current and former household workers that their information may have been accessed by an intruder, CNET News.com has learned. The agency sent a letter, dated Feb. 11, notifying people of the breach and offering information about how to reduce the risk of identity theft.

Approximately 55,000 employees were affected, EDD spokesman Kevin Callori said in an interview. The agency said the database in question contained names, Social Security numbers and wages.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"At this time we do not know the intent of the intruder or whether your personal information was accessed," Dale Morgan, chief information security officer of the EDD, said in the letter, which was obtained by CNET News.com.

"An internal EDD review of the incident found that a source outside of EDD gained access to a computer system containing personal information about you," he added.

Morgan said that the unauthorized access is being investigated by the computer crimes unit of the California Highway Patrol.

"The EDD regrets that this incident occurred and assures you that we are working with law enforcement to protect against further incidents of this kind," the letter said.

Callori said that the breach, which was detected on Jan. 20, was limited to a single server containing information about household workers.

"There is no evidence they accessed personal information," he said. "Apparently, they were using the server to send out spam."

However, because investigators could not rule out the possibility the information was accessed, the agency needed to notify people, he said.

California implemented a law last year requiring businesses and government agencies to reveal if a database containing private information has been compromised.

The server in question, Callori said, was a Compaq Alpha server running Unix, while most other EDD servers run Microsoft's Windows operating system. "Apparently this is a nonstandard (server) unique to this application," he said.

In December, portions of the LocatePlus database used by law enforcement and credit agencies was briefly made accessible via the Internet.

Identity theft has been a growing concern in recent years, with analyst firm Gartner estimating last year that 3.4 percent of Americans--or more than 7 million people--had their personal information compromised within the past 12 months.