Here’s what I’ve learned today about this week’s problem with the NCIS billing system.
Early Monday evening the NCIS team was seeing a repeat of the main problem from last week: when some customers tried to view their bill online, they were seeing other customers’ bills as well. That exposes names, addresses, account numbers and consumption information, but not bank or credit card information. Around 7:00pm Monday they shut down the Kubra service for viewing and paying bills, as they did last week, as a precaution to prevent any additional privacy exposures. After backing out the misconfigured daily batches of bills, they re-enabled the Kubra system. They are verifying a fix to the bug, and have disabled sending any further daily batches of bills to Kubra until their testing reveals that the batch processing bug has been fixed. Once the fix is verified, they should quickly get caught up with processing e-bills.
The NCIS team is still working with Kubra (a third party service) to identify the customers whose information was compromised in either incident. They expect to have that list confirmed “soon.”
Last week, SCL and SPU contacted the press the same day that they found the privacy problem to describe the issue in detail, and they issued a notice the next morning. This week, with a nearly identical problem and privacy issue, they have been tight-lipped. After discovering the problem Monday, they said nothing that evening and nothing all day Tuesday — finally admitting the problem this afternoon after refusing to answer my inquiries for 24 hours. They still haven’t posted anything to put their customers on notice that there was a new incident.
According to the city’s privacy policy:
In the event that any information under our control is compromised as a result of a breach of security, the City will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.
The policy doesn’t speak to the timeliness of disclosure, which is critical to allow victims of a privacy exposure to be on the lookout for malicious use of their personal information.
I’m following up with the utilities to understand why they were less forthcoming this week in disclosing the privacy issue and whose decision that was. I’m also hoping to get clarity on how they will proceed once they have the list of compromised customers.
I’ll repeat what I said last week: this kind of bug doesn’t represent a major design flaw in NCIS, but most likely a small coding error — and it demonstrates why all IT systems have bugs. There will be more bugs found over time, and some of those might also be privacy related ones. That’s why a robust, timely, customer-supportive policy for how privacy incidents are disclosed is so critical. SPU and SCL clearly have more work to do on that.