Intern Loses 800,000 Social Security Numbers 492
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
It gets better...er, funnier at least (Score:5, Informative)
http://ohio.gov/idprotect/lookup/lookup.aspx/ [ohio.gov]
On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.
Re:Bring these back tomorrow? (Score:2, Informative)
And I think the bigger problem (Score:5, Informative)
There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Informative)
The heat is probably a bigger danger.
As for the big woofers, they might attract thieves and cause problems that way :)
Re:Scapegoat? Maybe, but he's still a moron. (Score:2, Informative)
Re:Bring these back tomorrow? (Score:3, Informative)
They just did it in a horribly horribly bad way. There are lots of other state buildings around they could transfer things to regularly. Having anyone, let alone an intern, take them to their home instead is simply stupid. As is leaving company property unattended in your car. Having them do that with unencrypted data was just batshit insane.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Informative)
Sure, I've worked at places that do that ... but sending them home with the intern? Whenever I've seen it done it's been with trusted full time employees, with a paper trail of exact what went to their home.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Informative)
Encrypted backups are not hard to do, although its not in that many backup programs on the Windows side (unless you go to Networker or Tivoli Storage Manager) support solid encryption. The main one that does support encryption is EMC/Insignia's Retrospect on the Windows side, and Arkeia on the UNIX side.
[1]: A solid encryption system is not just clicking a checkbox that says "backup will be encrypted", and typing in a password on two blank fields, but knowing who has access to what passwords, and preferably having it that the guy who has the encryption keys or passwords is not the same guy in physical custody of the tapes 24/7, assuming a large company.