http://cbs5.com/local/caljobs.security. ... 65861.html

Oct 22, 2009 11:54 pm US/Pacific Security Flaws Discovered In Calif. EDD Website Reporting

Anna Werner

It's one of the most serious security breaches one computer expert has ever seen. CBS 5 Investigates has discovered a state-run web site may be putting hundreds of thousands of Californians at risk of identity theft.

It started off with a tip from a viewer, a local job seeker who noticed a computer glitch. Once CBS 5 started looking closer at the glitch, it was a gaping hole.

For laid off workers such as Tom Diederich of Pacifica, it's a requirement: To get unemployment benefits you have to post your resume on CalJOBS, the state's job site. "I filled out my employment history and I saved it," said Diederich, who bookmarked it for future reference.

But the next day when he clicked back in he said, "I saw someone else's information. I saw their name, where they live, their email, their phone number. I was shocked, really.

And the next time, again? "I got a different person's information," said Diederich. "There was probably about 5 or 6 different times that I have seen it. It was more frightening because I said 'Who's seeing my information?'"

So how big of a problem is that? Expert Pam Dixon with the World Privacy Forum said, "That is not okay!" Because she said resumes are a gold mine for criminals.

"Resumes are really fantastic tools for identity theft, because you get a person's name, you get their home address and you get a lot of information about them, so you can impersonate them much more easily," Dixon said.

Job sites are already a target. In January, Monster.com reported someone "illegally accessed" its database and took private information including names and phone numbers. In that case, not resumes. But Dixon said in the case of CalJOBS, "If the criminal gets access to the resume database, they will aggregate the resumes and sell them to other criminals."

Diederich, a former reporter at Computer World Magazine, thought the problem serious enough that he sent the state an email and called. But he said, "I didn't hear back from them."

So CBS 5 Investigates decided to find out. Could the state's CalJOBS website expose Diederich and others to possible identity theft? After all, this is the place where more than three quarters of a million Californians look for help getting a job.

CBS 5 asked UC Berkeley computer science professor and privacy expert, Doug Tygar to take a look at Diederich's problem. He said, "I consider that to be a serious security breach."

But it turns out, not the only one. Because just moments after beginning his examination of that website, using Diederich's web link, Tygar was able to get into the site, and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said.

All by just changing a few numbers in the URL. In fact, Tygar even found he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if i were a malicious attacker," he said.

Tygar said a hacker looking for identities to steal could have thousands of resumes at his disposal. "They are giving the information out to people who they shouldn't."

So what about the state's own privacy policy, stated right there on the website, that claims it 'secures' that information against "loss, modification, unauthorized access, or disclosure?"

Tygar said, "it does not appear to me that the CalJOBS website was designed with security as its primary goal, and I think they need to go back and re-engineer the website to make privacy a number one priority."

Starting, he said, with a full security audit: "It is clear to me that the Caljobs website has very serious security problems and that the system administrators have not yet understood the scope of those problems," Tygar said.

The California Employment Development Department declined an on camera interview, but sent CBS 5 Investigates this statement, saying: "We are currently looking into the web site security concerns you brought to our attention. The confidentiality of our web site and its users has always been a top priority."

The glitch that allowed Diederich to click on his bookmark and read other peoples' resumes appears to be fixed. EDD said their web site team is now looking into the other possible vulnerabilities identified by CBS 5 Investigates. They say if such vulnerabilities are found, they will correct them immediately.

(© MMIX, CBS Broadcasting Inc. All Rights Reserved.)