On December 11, 2009, the state of Minnesota directed all of its agencies to stop using a Texas I-9 software vendor which state officials had hired to verify the work authorization of new employees. [Full article] The state notified approximately 500 employees that their personal data, including names, dates of birth and social security numbers, may have been accessible on the company’s web site. The state was using Lookout Services of Bellaire, Texas, to verify new hires’ U.S. employment eligibility through E-Verify.
The security issue came to light when Minnesota Public Radio was able to access state employee data on the software vendor’s web site without using a password or any encryption software. Allegedly, employee names, birth dates, social security numbers and hire dates were visible on the web site for every state agency using the service as well as a long list of private companies.
This apparent security breach serves as a reminder that protection of personal information does not depend on data encryption alone. For safety, all I-9 software user accounts should require complex passwords (not left blank). Ideally, each organization using a hosted SaaS (software as a service) solution should be allocated a physically separate database file rather than allowing it to be co-mingled with data from other organizations.