The Sheriff's Office in Mesa County, Colorado mistakenly posted to a publicly available site a database containing names, Social Security numbers and contact information on confidential drug informants, suspects, and victims in criminal investigations.
The snafu, which happened earlier this year, also exposed identifying information on thousands of others, including employees, individuals who had spent time in the county jail, those who applied for a concealed weapon permit and those who had been served with civil papers.
In some cases, the exposed data affected individuals who had come into contact with the Sheriff's office as far back as 1988.
The data was available on the site from April to late November, when it was finally removed after an individual notified the Sheriff's office about finding his records popping up in a Google search, said Jessica Peterson, a spokeswoman for Mesa County.
The data is believed to have been accessed on multiple occasions starting sometime in late October, the spokeswoman added.
The breach resulted when an IT employee at the Sheriff's office mistakenly placed a database containing the information onto an unsecure FTP site on a county server, according to a statement released by the county earlier this month.
The employee was responsible for uploading the data to a new system and mistakenly placed it into what the employee believed was a secure storage area, the statement said.
In all, more than 200,000 files are believed to have been placed on the FTP site, the spokeswoman said. Not all of the files contained the same data, Peterson said. Some files contained just names and publicly available information, while other files might have contained more sensitive data.
The Sheriff's office is in the process of inspecting the files and weeding out the duplicates, to get a better handle on the specific number of people whose sensitive data might have been compromised, Peterson said.
IT officials at the Sheriff's office are also working with law enforcement to figure out where the data went and if it is possible to retrieve it, or prevent its use.
As part of its damage control efforts, the Sheriff's office is working with Google's security team to see if they can find and remove copies of the exposed data from the Web, the spokeswoman said.
A report by NPR on the breach quoted Mesa County Sheriff Stan Hilkey expressing concern over the possibility that the data leak could have put some people's physical safety in jeopardy. "That in itself is probably the biggest concern we have, because we're talking about people's personal safety," Hilkey said.
The report also noted that the IT employee believed responsible for the breach is no longer working for the county.
The Sheriff's office did not immediately respond to Computerworld's request for comment.