Data breach affects about 4,000 SEC workers

The Securities and Exchange Commission is having some security problems of its own.

About 4,000 agency employees, including several in Los Angeles, have been notified that their Social Security numbers and other payroll information were included in an unencrypted email, according to Drew Malcomb, a Department of Interior spokesman.

The May 4 email was sent by a contractor at the department’s National Business Center, which manages payroll, human resources and financial reporting for dozens of federal agencies, Malcomb said. Interior Department policies require that sensitive personnel information be encrypted when emailed.

But the contractor neglected to encrypt the email, and the software in place to catch such errors did not work properly, Malcomb said.


“It was a twofold thing,” he said. “The contractor forgot, and then the software failed or malfunctioned.”

Affected employees were notified earlier this week and were offered 60 days of free credit monitoring.

“There is no indication that the data was intercepted,” Malcomb said, adding that personal information was exposed for about 60 seconds “during the time the email was being sent, from the moment when the person hit send to the time the other person gets it in the inbox.”

“It was only a 60-second window of vulnerability, but 60 seconds is too long,” he said.

The National Business Center has had other data security incidents. In May the center reported that a CD containing sensitive information on about 7,500 federal employees was lost. It has not been recovered.

In February 2010, software meant to catch unencrypted emails failed, but at the last minute an employee caught the problem and data were not exposed, Malcomb said.

The agency has launched a probe into the most recent incident.

“The investigation will likely result in a change in software,” Malcomb said. “I can’t really predict what the investigation will find, but that looks kind of clear.”