Share this article on:
The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General.
In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect.
The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication.
The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers.
Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and requested the document be removed. Amazon in turn contacted SAManage USA to alert the firm to the breach. However, while an engineer was alerted to the SAManage USA data breach, the incident was not communicated to the appropriate personnel within the company.
The Vermont Security Breach Notice Act requires companies to alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was alerted to the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be notified, shortly after the Attorney General contacted SAManage USA about the breach.
It took almost two months for breach victims to be notified. Attorney General Donovan said that were it not for the intervention of his office, the breach would not have been reported.
SAManage USA has agreed to a $264,000 settlement to resolve the case and will adopt a robust corrective action plan, which includes implementing a comprehensive information security program to prevent further privacy breaches.
In a statement about the settlement, Attorney General Donovan said, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he explained that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”