The SAManage USA data breach in 2016 caused the online exposure of the Social Security numbers of 660 Vermont residents. The Vermont Attorney General required a settlement amount of $264,000 from SAManage USA for its violation of Vermont Security Breach Notice Act.
SAManage USA provided business support services for Vermont Health Connect. The problem was it failed to secure an Excel spreadsheet relating to the state health exchange. The spreadsheet was made part of the firm’s cloud-based IT support system. It was assigned a unique URL, which can actually be guessed by anyone and accessed online without any password.
The spreadsheet was also indexed by the Bing search engine so that its contents’ preview – list of names and Social Security numbers – was displayed on search results. One Vermont resident accessed the spreadsheet via the search results and reported the breach to Vermont Attorney General T.J. Donovan. Vermont Attorney General’s office conducted an investigation and contacted AWS to have the document removed. Amazon contacted SAManage USA to let the firm know of the breach, however, the incident was not communicated to the right company personnel.
According to the Vermont Security Breach Notice Act, companies need to give notice to the Attorney General’s office within 14 days of knowing about a breach. Consumers also need to receive notification withing 45 days. SAManage USA discovered the breach on July 25, 2016 but sent notice to the Attorney General’s office late September 2016 after the Attorney General already contacted SAManage USA concerning the breach. Breach victims received notice after almost two months.
To resolve this breach case, SAManage USA paid $264,000 to the Attorney General’s Office and adopted corrective action plans, such as a comprehensive information security program. Attorney General Donovan left a statement that his office will continue to protect and enforce Vermont’s data breach and consumer protection laws.