Hundreds of documents containing personal information of some employees at Jenkinson’s Breakwater Beach Waterpark at Casino Pier in Seaside Heights have been available online to anyone who clicks in the right place, Bamboozled has learned.
The documents include copies of Social Security cards, driver’s licenses, birth certificates, passports, student IDs, tax forms, seasonal work agreements, minor consent forms and employment eligibility forms from the Department of Homeland Security.
The employee information was stored on a company web site that apparently wasn’t protected by password entry.
Documents viewed by Bamboozled included both applicants and hires from the 2014 and 2015 seasons, while the company insists only 2015 data was available. The site’s main index file, which is how the documents were accessed, dates back to 2010.
A review of the documents shows the majority of those affected are seasonal employees, and most are teenagers or young adults from towns across New Jersey. Some were teens who applied for jobs but were never hired. Other employees came from overseas, including some from China, Ireland, Bulgaria, Lithuania and others, records show.
In essence, the personally identifiable information, or PII, reveals everything anyone would need to apply for loans, credit cards or even fake passports and driver’s licenses.
“In a word, ‘Wow,'” said Mitch Feather of Creative Associates, a Madison-based cybersecurity firm after reviewing the web site. “This is a case that everything is here for somebody to do an impersonation.”
We reached out to some of those whose information may have been breached.
“I’m nervous and I’m upset about it,” said Brianna Burke, 18, of Forked River. “Now that I’m about to apply for student loans, I’m worried about my credit. The fact that someone could be ruining my life right now is disheartening.”
Burke had applied for the job but was never hired, yet her information was on the site.
Darren Hook of Toms River has two children who work in food services at the park.
“You go and do something innocent like go and try to find a job and this kind of thing happens? It makes you feel vulnerable,” he said. “There should be something in place that protects your information.”
Within 15 minutes of talking to Bamboozled, Breakwater Beach shut down the online access to
A company spokeswoman, Maria Mastoris, said the breach involved two URLs that led to the same site.
She said the company has 500 employees in 2015 and there were 499 in 2014, but only 71 were affected. That’s because many employees didn’t upload their files, but instead gave hard copies to the company, she said.
“The encryption has been changed and all files have been removed for 2015. 2014 files were removed last year,” she said. “We do not hold onto uploaded filed for more than a few months. In future hirings, we will not allow paperwork to be uploaded.”
But Bamboozled was able to access the 2014 files, which she said were not available, so we asked for clarification.
She again said there were no files from 2014, so we shared a screen capture of the 2014 files we
accessed earlier in the day. Mastoris didn’t respond further on that issue.
When asked what the company would do for affected employees, Mastoris said they will be offered fraud protection. She also noted that no customer or vendor data was compromised.
When asked, she said employees would be notified “as soon as possible.”
The spokeswoman said the problem began earlier this month.
“A Russian IP address hacked the site on July 2nd, breaking down the encryption on the web site,” she said.
Mastoris said the site was properly encrypted before then.
If that’s true, why were the files still available until Bamboozled called?
UNEXPECTED INFORMATION SOURCE
The information about the breach came to Bamboozled in an interesting way.
Peter Heimlich of Atlanta is an independent blogger with a journalism background. His father is Henry J. Heimlich, the famed physician for whom “the Heimlich maneuver” was named.
The junior Heimlich has been waging a battle to have the Heimlich maneuver removed from
lifeguard training manuals because first aid and medical organizations including the Red Cross and the American Heart Association say it’s ineffective and potentially dangerous as a method to revive someone who’s drowning.
Heimlich has blogged about the National Aquatic Safety Company (NASCO), a Texas-based lifeguard training firm, which refused to rewrite the training books. But then, Heimlich won the fight in Utah and also in New Jersey, where NASCO trains the lifeguard staff at four water parks, including Breakwater Beach.
Earlier this week, Heimlich checked the Breakwater Beach site to see if the employee manual had been updated. He found the updated manual, but he also came across the personnel information.
“It couldn’t have been easier (to find)” he said.
And then he contacted Bamboozled.
We asked Feather, the cybersecurity expert, to take a look at the site before it was shut down.
“The site had exposed a treasure-trove of information,” Feather said.
He said anyone could take the documentation and set up loans, health insurance and more, all in a victim’s name.
Feather said cyber incidents like these should be reported to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) at http://www.cyber.nj.gov/report, or you can email email@example.com.
He said even if the company responsible for the exposure steps up and offers a subscription to a credit monitoring service, that shouldn’t be the end of what you do.
“You should notify major credit bureaus that your PII has been exposed, you should examine and monitor your credit reports and you should consider having the credit bureaus implement a freeze,” Feather said.
“But don’t stop there: you should stay particularly aware of unusual activity in your bank accounts, health insurance, and watch out for signs that credit cards, loans, etc. have been issued in your name.”
He said it could be subtle, like mail from a bank welcoming you and/or thanking you for opening an account.
“Many people are quick to tear up/throw out these mailed items without ever looking at them,” Feather said. “Take the extra 10 seconds to open it and make sure that it is not a welcome letter and/or contains cash-advance checks.”
(A side note: Heimlich also thought our readers would be interested to know he has a side gig leading a weekend rock ‘n roll oldies band and is a big fan of Bruce Springsteen and Southside Johnny. Just sharing!)
Staff researcher Vinessa Erminio contributed to this report.