Software flaw at WorkOne Indy locations may have exposed personal data
WorkOne administrative agency EmployIndy to provide identity protection services
INDIANAPOLIS – EmployIndy, the city’s nonprofit workforce development intermediary, mailed notification letters this week to 2,045 customers who may have had their social security numbers exposed due to a malfunction in its internal third-party software provided by Empyra.
The flaw affected the user account setup process via WorkOneIndy.org and was discovered after a user reported encountering a drop-down menu that appeared to show archived social security numbers in the field where he was attempting enter his own social security number.
“We want to be clear that the only personal information that might have been exposed was an individual’s social security number, and affected numbers were at no time revealed alongside any other personally identifiable information, such as name, date of birth or address,” says Marie Mackintosh, COO of EmployIndy. “This was not a breach of our technology infrastructure or an intrusion from an outside party into our database.”
The flaw was a software coding issue that caused previously entered social security numbers to auto-populate into that field of the new account setup page. The social security numbers of those users potentially exposed would have been visible only to other individual users who were creating new logins while using computers inside one of WorkOne Indy’s three local centers to access the WorkOneIndy.org website.
An investigation into the issue confirmed that the malfunction was active between the dates of October 3, 2016, and January 27, 2017, ultimately affecting an indeterminable number of users. During this time, EmployIndy’s nightly IT data-clearing protocols did ensure that any social security number that did appear in a drop down menu would have only done so for the single day on which it was first entered.
“There is no way to know exactly how many or which social security numbers were exposed while the flaw was active, which is why we’ve chosen to notify every single WorkOne Indy customer who completed a new account setup at one of our centers from October of last year to January of this year,” Mackintosh says. “While we believe the total of exposed numbers is small relative to the total number of customers we have notified, we are extending identity protection and credit monitoring services to all those potentially affected because we must do everything we can to ensure people’s privacy and security.”
Mackintosh says EmployIndy’s IT team completed a provisional fix for the malfunction on January 27 that included blocking the auto population function that caused the display of archived social security numbers. A permanent fix to the Empyra software itself was made by that company on March 3.
EmployIndy anticipates all customer notifications related to the data exposure to be delivered by the U.S. Postal Service by the beginning of next week. Any WorkOne Indy customer who may have accessed WorkOneIndy.com from a
WorkOne Indy center between the dates of October 3, 2016, and January 27, 2017 is encouraged to contact AllClear ID at 855-530-9801.
EmployIndy is a Marion County nonprofit organization that provides expertise, identifies tools and prioritizes resources to develop, create or find the best talent needed to power the Marion County economy. Guided by a 21-member board composed of business, civic, education and nonprofit community leaders, EmployIndy guides the investment of public and private funds to meet the needs of Indianapolis businesses and residents. For more information, visit www.EmployIndy.org.