State worker who uploaded sensitive information resigns

Revenue Department employee uploaded spreadsheets containing names, addresses and social security numbers of at least 15,300 Oregonians to his personal cloud storage account.

SALEM — A state employee who uploaded sensitive personal information on at least 15,300 Oregonians to a personal cloud storage account resigned this week, according to the Oregon Department of Revenue.

The employee uploaded about 60 spreadsheets containing more than half a million records, including names, addresses and social security numbers, to a personal account on Google Drive, Google's cloud storage service, Feb. 21.

The information was used by the department to reconcile accounts, but the employee sought to upload it to a personal account because he wanted to use the spreadsheets and queries "as templates for his work products at a future employer," the department said in a prepared statement in response to questions from the EO/Pamplin Capital Bureau this week.

The spreadsheets were the work product of a former department employee and used "complex queries" to gather data and do calculations, the department said.

The employee used a state computer to upload the information to Google Drive, which can be accessed from different computers with appropriate account credentials.

The upload was detected by department officials in a routine review of system logs.

During the investigation, the unidentified employee provided the department with his Google login and all agency files were deleted from the personal account, and IT security staff confirmed there were no backups, nor application data, left in the user's Google Drive account, the department said.

The Oregon State Police determined the incident was "non-criminal in nature" during the early stages of the state's investigation.

Department representatives said March 23 that the information of roughly 36,000 people could have been compromised by the act, but said Friday that the spreadsheets contained "numerous duplicate records." The department sent direct notifications by mail to about 15,300 people.

The department is also paying for identity theft protection services for those people whose information was included in the upload "on the off chance the files were accessed in a way we couldn't detect," Gasperini said.

The individual notifications and recovery services are costing the department $28,810.

The department also says that there's no evidence to suggest that the personal information was shared beyond the employee's personal account.

The incident was detected Feb. 23, and the employee was placed on paid administrative leave three days later, but the revenue department didn't issue a public notice of the incident until March 23.

"The investigation into the incident itself was complete within a few days, but combing through what was removed from the drive to determine how many people could potentially impacted took much longer," Gasperini said by way of explanation. "...As soon as we were relatively confident in the refined group of records, which was March 22, we finalized the press release that was issued March 23, the next day. We were also working on matching records with contact information so we could move forward with individual, direct notification through the ID recovery services vendor as soon as possible after the general public notification."

News of the incident follows an audit of the state's new tax processing system that raised questions about who should have access to certain taxpayer information.

In fact, the same day that the incident occurred — Feb. 21 — was the day that the Oregon Secretary of State's office released the audit, which found the department can improve controls on access to its new tax processing system, GenTax.

Auditors said "better controls are also needed to ensure ongoing access remains appropriate for users who change jobs and to ensure users who have left employment with (the revenue department) or with other entities have their access terminated timely."

While the employee said he wanted the spreadsheets for use at a future employer, it's not clear whether the employee has moved on to another job. The revenue department says it is not aware if he is working for someone else. The employee's salary was $7,462 per month.

The department also says that employees on administrative leave are not be able to work for another employer, and must remain at home and "available for further inquiry."

Most of the department's 1,007 employees have "some level of access" to social security numbers.

"Because of the information we handle on a daily basis, our network is secured and monitored for appropriate use," department PR officials said in Friday's statement. "That monitoring worked, and our IT security staff detected files being moved off of our secure network quickly."