An Alden-based uniform company and its website developer have agreed to pay $95,000 in penalties after they inadvertently published job applicants’ Social Security numbers online.
Doritex Corp., which supplies and cleans uniforms for customers in Western New York, along with its website developer, Buffalo-based The Kallus Opraments, were found to have exposed the personal information of 518 job applicants through an insecure employment application portal on Doritex’s website. The insecure portal, which was not encrypted, allowed the applicants’ information to be found using a simple Google search. Applicants’ information including their names, addresses and Social Security numbers were visible on the Web for a month.
Doritex was alerted to the breach on June 22 and corrected the problem immediately. But, by law, the company is required to notify the applicants and certain government agencies “without unreasonable delay” that their information had been breached. It didn’t do so until July 21.
The two companies reached a settlement with the attorney general’s office in which they agreed to beef up their data security and to promptly notify government offices and victims about data security breaches in the future. Doritex has also agreed to pay a $55,000 penalty. The Kallus Opraments agreed to train its employees in data security and pay a $40,000 penalty. Kallus’ penalty was suspended due to the company’s financial condition.
Doritex said it takes data privacy very seriously and was happy to work with the attorney general’s office to remedy the situation.
“Based on a forensic investigation of this matter, Doritex is confident all employee data is protected, and the company is not aware of any misuse of private information,” Doritex said in an email.
The Kallus Opraments could not immediately be reached for comment.