Ohio Data Leak Gets Pinned On The Intern
from the passing-the-buck-eye dept
You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern’s car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he’s being made the scapegoat for the loss. Despite the governor’s claims to the contrary, of course the intern’s being scapegoated, even though he apparently was just doing what he was told. That’s how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he’d been given, and that the real problem here was a flawed security plan that was either devised by an idiot, or, more likely, by somebody who didn’t take the security of other people’s personal info very seriously. That’s the problem here: nobody seems to care when it’s other people’s data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it’s not a good one. Until that changes — and the scapegoating and responsibility shirking stops — data leaks and breaches are going to keep on coming.
Filed Under: data breaches, identity theft, ohio, security
Comments on “Ohio Data Leak Gets Pinned On The Intern”
It’s all Microsoft’s fault! Buy a Mac!!!!!!
now let’s sit back and watch the flame war begin, and be sure to read the other article about flame wars, you may want to be careful on what you say 🙂
Re: Re:
Please. You’re behind the times. All the cool kids these days say, “Use Linux. Cuz you know if they were using Linux then this would not have happened.”
Re: Re: Re:
um tard, osx is a flavor of unix
Use Encryption people!
I went on vacation and took an external usb powered drive with me along with a Linux live CD in case I needed to use the data on it. TrueCrypt is a really wonderful piece of software. Thieves would find nothing useful on that external drive and reformat it to use as their own. My company data could not have been exploited since it was encrypted with AES 256 and a nice strong keyfile/password. Quite simple solution that no state or federal government will use because the IT staff is not competent… TrueCrypt also runs on Windows.
Re: Use Encryption people!
Joe… come on… before this happened, the taxpayers of Ohio would’ve thrown a fit if they’d found out the “not competent” IT staff and spent tax dollars on unnecessary encryption software. The newspapers would have crucified them for “government excess” and someone higher in the food chain than an intern would’ve lost their job.
No reasonable person would argue that this was a big smack in the face for some obviously less than cautious people… but keep in mind how difficult of a job they have of protecting that sensitive data… all while not spending a dime of those person’s tax money.
Re: Re: Use Encryption people!
TrueCrypt is free open source software. No charge for the taxpayer. Runs on Windows and Linux. Windows install is real easy too. Just download and run the installer. Some Linux flavors have install packages too and if you can’t find one, download the source and compile it yourself.
Oh Please.
Sure there’s blame to go around, but this kid leaves a data tape in an UNLOCKED car overnight, and gets mad when people blame him. Yeah. Hard to imagine.
Re: Oh Please.
So, just exactly *where* are you saying he *should* have put it overnight?
The kid deserves to be canned for doing something that stupid, but he shouldn’t be the only one. Shame on the state for this fake action plan.
this kid was following procedures.
he should sue from wrongful termination.
Who in their right mind would require someone to take home information like that as part of security! They are a bunch of idiots! That data should be encrypted and kept in a safe! Yes the intern has some blame, but the person who came up with the idea of taking that stuff home deserves more!!
I actually work for the State of Ohio IT and the comment “the real problem here was a flawed security plan that was devised by an idiot” is absolutley true, idiot may be reaching a little high. Whats below that?
Intern Fired
This is a case where I hold the intern without blame at all.
I don’t care that his car was not locked. I live in a place where you can leave things unlocked. But regardless the thief is who stole the drive.
The persons that are responsible are, the one to come up with the idea of the take home hard drive, and the one that signed off on the idea.
As they are civil servants, no merit raises, no promotions, and they should be put at the bottom step of their pay grade.
The only other option, their resignation.
Good move!
It’s the interns fault, as well as the fault of whatever ‘management’ decided that was a good data protection policy.
Plenty of blame to go around
Weak link #1: Careless intern leaves data tape in unlocked car overnight (bad move)
Weak link #2: Procedures that require said intern to take tape home with him (bad design)
Weak link #3: Poor encryption standards that would allow critical data like this to even potentially be usable by a 3rd party (bad choice)
So, let’s make sure every failure point gets addressed. The intern should certainly be canned (with cause), but the systems and policies ALSO need overhauling.
Re: Plenty of blame to go around
If it was stolen out of an “insecure” rented room some people would try to blame him for that as well. They would say that he should have stayed up all night guarding it. The guy probably wasn’t in the “secure data warehousing” business after all and so probably didn’t have an appropriate place to keep it. And on top of that, how is it the place of his employer to demand that he provide them free data warehousing on his own time in the first place? There are commercial companies for that kind of thing.
How can people blame the intern???
You people are killing me!!!! How can you blame the intern? What justification can you have for that? As an intern at one time, let me explain how these things work…
“Hey Joe, take this thing home with you tonight.”
“Sure, Mac, what is it?”
“Just some backups. We like to have a couple copies off-site every night. I’m taking one too. I would have given yours to Sam, but he’s already left.”
“I’m not so comfortable with that – what if something happens?”
“What’s gonna happen? Just throw the thing in your car and bring it back in tomorrow. Besides, it’s policy that two different people have backups. You wouldn’t want to get fired for refusing to follow policy, would ya?”
I love geniuses that pass the buck onto an intern that just wants to do his internship, without hassle, so that he gets a reference.
Why was an intern given so much sensitive data?
While I also agree that the intern probably should have at least locked his car, why was an intern given so much sensitive data? Who is to say that the tape wasn’t just “stolen”? Back when there was that whole scandal where social security # information from the bank was being sold the article I read talking about the people being busted stated that they were being paid $1 or more per social security number. If there was even 10,000 social security numbers in that data (and there easily could be on the 100,000’s), thats a lot of money for an intern. It was an idiotic decision to trust that data to an intern in the first place, even if there was a policy to take that off site. A more seasoned IT individual might have at least thought about the potential risks associated with the data being lost and would have taken more measures (e.g. bring it into their house).
The Kid isn’t being fired for taking it home it s for not keeping it secured in his Possession or in a secure place over night he didn’t follow the procedures to the full extent and thats why he was fired. I’m not saying a security procedure like this is very intelligent but thats why he was fired
Re: Re:
Did they provide him with this “secure place” you referenced as him not using?
Has anyone ever heard of a thief who wouldn’t break into a house? Would it have made a difference to the thief if the car had been locked? If I give a toddler a handgun, is it the toddler’s fault when they blow their own head off?
An intern by definition is learning on the job, and my home state has provided a really bad example of how to handle sensitive data. He shouldn’t be fired because the state has failed to put together a competent disaster recovery program. It was the state that failed to protect the identity of state employees, not the intern.
I think we can all agree...
A good security policy allows for human error. You can’t just assume that the best case scenario will always be the scenario. I am a disaster recover specialist and ive seen hundreds disaster recovery plans from fortune 500 companies. Government is always the cheapest and dumbest. They will spend 1/2 of whatever you tell them is the required minimum. That’s just how it is with Gov. and some other non-profs… oh yeah… they also have next to zero accountability. Put those two things together and you have a failure of a backup strategy and when it fails you have a dozen people pointing fingers and nobody resolving problems.
The whole thing smacks of keeping half your money in the mattress in case the bank burns down, and then smoking in bed.
NoName is right
First of all, if the backup wasn’t encrypted, then whoever created the security policy in the first place and handed off an unecrypted device with all those SSNs should be fired.
Second, the intern claims that he was simply told to take the backup home overnight and return it the next day, and the issue of how to secure the backup was never discussed. Again, if that’s true, then the fault was with the creators/implementers of the protocol above the lowly intern.
NoName is correct…if they want the tape secured, they have to be very explicit about what they mean by that. You can’t just give employees vague duties and then fire them when they don’t follow the specifics you, as a supervisor, should have given them in the first place.
supervisors
The worst part is that people who know what we are doing have to open our own shops, while the people who aree dumb enough to implement this stratagy keep getting hired.
Gimme a break...
This intern was supposedly a student at DeVry – which actually had something of a good reputation at one time. How do you get past the first weeks of any kind of computing degree without the utter sanctity of data burned into your head? Even if the data is not of such personal nature it is still sacred – would you want to run potentially corrupt data? Data that was corrupted by say – the environment inside a car? Or how about the magnetic fields that may have existed on or about the TV set that he told the Columbus Dispatch was a common repository point for him? My understanding is that the medium was magnetic tape.
The intern was hopelessly inept.
Kinda reminds me of the second year student that couldn’t figure out why he couldn’t get a 11,000 string array to run worth a crap (in 1999). Why aren’t the fundamentals being taught and stressed?
I wrote the governor – as I am in Ohio – and advised that he consider also canning the kid’s immediate super, too. The intern had only been with the state for two months when he was charged with the back-up duties. You trust an intern with only two months track record with that stuff? I think not! It also was not – by his own admission – his first time leaving it in a car.
Only a moron leaves such important data in such an environment to begin with
For the record – one ALWAYS keeps a back-up of critical data off-site. If you keep it on site and say – there’s a theft, or tornado – or highly destructive fire – then you have no back-up at all – or original data either. That’s why you keep one off site, the classic back-up schedule and protocol cited is the one devised by Planned Parenthood a couple of decades ago. And that is almost certainly the model used. After all – it takes a mighty safe to also be BOMB proof. A safe alone is not proper security – if the safe is on location where the originating data is.
I don’t know if the Gov ever actually saw my letter – but I did advise him of a company in Columbus that would certainly provide the utmost in data security – and if you need one they are also a very flexible and excellent host – JTLnet. They could deposit their back-ups with JTLnet at almost any hour of the day since they staff 24/7 — or even backup over the wire — or both.
Finally – the intern was 22 – does his mom still wipe the doo doo off his fanny? How on earth do you get to 22 and be that irresponsible in that sort of position?
There is zip zero excuse for the way the intern handled the data he was charged with protecting.
Re: Gimme a break...
tad_scsi,
After all your bandwagon ranting, you never did state just what you thought the intern should have done. So how about it, just what you thought the intern should have done?
Hmmm ...
I guess if we were talking about a chess game, rather than a governmental rush to “CYA,” this poor intern would be a punk – I mean a pawn.
Intern Scapegoat
The intern might have been fired for leaving the tape in his car unlocked, not exactly following the procedure. Several heads rolled other than the interns also, three levels up plus the two contractors that set the plan up.
Ohio Data Leak
I think Joe-Public needs to step up to the plate too and force those in authority who fired the Intern to not only lose their jobs, but do jail time for devising such a pitiful security plan. This is criminal – and with fore-thought, and should be dealt with in that regard – and not just in Ohio, but across the nation.
Rick In Michigan
Re: Ohio Data Leak
I couldn’t agree more with Rick. The entire chain of command revolving around this data should be prosecuted just as those they had stolen it. Until legislation is in place that will hold those responsible for actually responsible these kinds of problem will continue. I am one of the victims of this “loss”. I called the Department of Administrative Services, apparently the department that is the cause of this fiasco, and their representative stated the following;
The back up tape that was stolen was created on a faulty tape drive that had mis-aligned heads, so the data would only be readable by that tape drive or with sophisticated equipment.
There is no evidence that the data had been accessed.
His information was on the tape too, but he was not worried.
These are all a crock!
The state is paying for a credit verification service called Debix. This service will block any credit verifications until you are contacted and you supply them with your PIN. This service is being provided for 1 year. What happens in year two when the thieves of the tape drive start selling your information off and you are no longer protected? Why should I have to be forced to pay for this kind of protection for the rest of my life because some dip shit intern, and his management team are incompetent?
For the record I have contacted my state rep. and Mike Foley has not returned any of my emails. This ass clown will not be getting my vote next election. In Fact I will be actively campaigning for who ever runs against him.