State apologizes after exposing crime victims' personal info online
Posted April 11, 2014
Raleigh, N.C. — North Carolina Department of Public Safety officials scrambled Thursday to take down a website that included the names and personal information of thousands of crime victims, including rape victims, who had applied for financial assistance from the state.
A WRAL.com reporter discovered the security breach while doing research for a story about the state's Crime Victims Compensation program. By law, the personal information of victims who apply for the program is not public record.
The breach happened sometime in late 2012 after the department created a new website and moved it to a state server, according DPS Communications Director Pamela Walker. Although the information was publicly available for more than a year, state workers investigating the breach believe it is "highly unlikely that anybody accessed this site," Walker said.
"The department strongly believes that the odds of anybody accessing this internal site are extremely low. The exact URL must be typed in to access it," Walker added. "The URL address was inadvertently provided when responding to a WRAL records request."
WRAL News was able to find information about victims on the site as far back as 1992, including names, dates of birth, dates of the crimes, how much money they requested and whether they were denied or received financial help. Some of the cases included names and birth dates of children who had been sexually abused.
The Crime Victims Compensation program gives victims up to $30,000 for medical bills, lost wages and counseling and gives family members up to $5,000 for funeral expenses. Victims of assault, sexual abuse, domestic violence, drunken driving, homicide, pedestrian hit-and-run and rape can apply to get financial help.
The data breach comes as the department marks National Crime Victims' Rights Week, which it has been promoting on its website – the same website where victims' personal information was posted until it was taken down Thursday afternoon.
"We appreciate WRAL bringing this to our attention. The website was taken offline as soon as we were made aware that it was publicly accessible," Walker said. "The department respects victims' rights to privacy and works diligently to keep their information confidential. We sincerely apologize for this breach in privacy."
Monika Johnson Hostler, executive director of the North Carolina Coalition Against Sexual Assault, says it's important for victims to know that the information was posted online.
"For many victims, they’re going to want to know who could have potentially seen it. It’s the Internet – anyone could have seen it," she said. "We will definitely work with these families to make sure that they understand that this was not malice intent. But while it is a reality, how do we work through that with them?"
Walker said Friday she was still deciding whether to alert victims to the security breach.
"The odds are minuscule that anybody else has accessed this site outside of victims' services," she said. "We don’t want to unnecessarily alarm (victims)."
Walker added that the agency "is researching additional security measures to prevent something like this from happening again."
Jeff Crume, a 30-year veteran of IT security and author of the blog Inside Internet Security says it’s a good sign that the site didn’t appear on Google search results or the Internet Archive, but it’s not 100 percent conclusive.
"There's no way to know if anyone else might have copied this other than through (logs). There could be any number of smaller bots that could have accessed this data," he said.
Crume says controlling access to a website that contains private information should be routine for the state's IT department.
"It's not something that would be abnormal or would require extensive skills to do," he said.
The website appeared to be for internal use, as a way for the agency to track the cases, but it was publicly available to anyone who had the link. The site included a "director's to-do" list where Crime Victims Compensation Director Janice Carmichael kept track of which cases she needed to review, including cases marked "priority," "recommended approval," "recommended disapproval" or "pending."
The site also linked to a meeting agenda for the Crime Victims Compensation Commission, a seven-member committee that reviews victims' claims that exceed $12,500. Carmichael first reviews the cases and makes recommendations to the commission, which votes to approve or deny the claims.
WRAL News was able to read the commission's upcoming June 18 agenda, which includes Carmichael's recommendations for which victims should be approved or denied money. As of Thursday, Carmichael had recommended that five victims get compensation, totaling more than $70,000, and that 15 people be denied. The victims' names, case numbers and recommended award amounts were included on the agenda.
Another section of the website allowed users to search for crime victims' cases by date or specifically for those who applied for the rape victim assistance fund.
This is not the first time the agency has revealed personal information about victims.
Last month, during a public meeting, members of the Crime Victims Compensation Commission openly discussed cases using victims' first and last names and talked about personal details, including whether certain victims had been involved with drugs. A WRAL.com reporter and a member of the public were present during the open meeting.
"We do sometimes let news media sit in, but you should have been given clear instruction that the person’s name does not need to be publicized," Walker said.
Amanda Martin, an attorney representing Capitol Broadcasting Co., the parent company of WRAL News, said commission members are obligated to protect victims' personal information, not people in attendance at the meeting.
"When a public body conducts a meeting in open session, they cannot put limits on what will be published or broadcast by the media," Martin said. "A public body should strive to do as much of its work in an open session as possible. I applaud the commission for trying to permit the public access to see how they operate, but it’s their obligation to do so in a way that’s compliant with the law."
N.C. statute 15B-8.1 says "all medical information relating to the mental, physical, or emotional condition of a victim or claimant and all law enforcement records and information and any juvenile records shall be held confidential by the Commission and Director. All personal information ... of victims and claimants and all information concerning the disposition of claims for compensation, except for the total amount awarded a victim or claimant, shall be held confidential by the Commission and Director."
In an email Friday afternoon, Walker said the commission plans to make changes to how it conducts its meetings, including assigning an attorney to attend the meetings, providing training to commissioners on protecting confidential information and implementing a new procedure for discussing the cases without using names.
The state Crime Victims Compensation program was created in the 1980s and has paid out more than $130 million to nearly 25,000 crime victims. The program, which received about $11.4 million last year, is funded through state appropriations and federal funding, which covers 60 percent of the costs.