Intern Loses 800,000 Social Security Numbers 492
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
"DIAF."
I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.
I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!
Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?
Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.
I think the bigger problem (Score:4, Insightful)
7.3%- Sounds about right (Score:3, Insightful)
everyone BUT the intern should be fired (Score:5, Insightful)
i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.
i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..
-r (has NO problem believing the intern's story 100%)
Makes sense not to report for a bit (Score:5, Insightful)
If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.
Dan East
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
Re:It Figures... (Score:5, Insightful)
To all the comments that are calling the intern an idiot for leaving the tapes in his car, I ask you this: where should he have stored them? In his apartment which can be just as easily broken into? Was he supposed to rent out a protected storage unit at his own expense? The correct answer is that he should have never been responsible for storing them. Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?
Re:I think the bigger problem (Score:3, Insightful)
Simple Solution To All This (Score:4, Insightful)
There is a simple solution to this kind of thing. You take the SSN, bank account and CC numbers of the person in charge (the General, Congressman, CEO etc.) and you put them in every container, laptop, tape, HDD, USB stick, etc. that has private information on it.
Problem solved.
Re:Scapegoat? Maybe, but he's still a moron. (Score:2, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:1, Insightful)
A few points on his statement (Score:3, Insightful)
1) He also obviously did not take time to investigate or read the policy. Granted .. this can be also blamed on supervisor's. But there is no 'patch' for ignorance, correct? Sometimes you only get one shot.
2) If he had any idea what was on the tape, he should not have left it in his car. I don't know if it was in the open or not, but 'intern' or not, he should be aware of the sensitivities of that sort of data. He commented on the policy (which he was not aware of until after the fact ... we've covered that) and said it was "unreasonable to assume that the person would not stop somewhere on their way home". (He is questioning the policy, but we'll cover that next.) Again ... if I knew what was on that tape (granted, I am not an innocent, young 'intern'), I wouldn't take it. If forced to, I wouldn't let it out of my sight til in my home.
3) He *should* question policy if he wants to be valued .. hopefully he learns from that. That's something I look for in a valuable employee. Questioning does not necessarily mean 'defy' (which I think is what he is trying to say). If not questioning the policy, he should be asking "This stuff is encrypted, right?"
They are kind of going after the young intern as someone to pin this on, I'm sure. However, I don't think he can/should hide behind his 'intern' label and fire his pop-gun back saying none of it is his fault. He should admit his part in the mistakes and what he would not repeat ... then point to the broken policy / security model.
Also hope they have fraud alerts set up on those 770,000 people and are ensuring they have state-provided equifax accounts! ;)
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
As someone who spent a decade or so as a "fricking consultant" I don't find it hard to blame him. If Mr. $125/hr was a half competent consultant he should at the very least have email evidence to show that he tried to change this retarded procedure but was vetoed by his superior. If he has such evidence then rinse & repeat up the PHB ladder.
Also, scam sites are going to be all over this (Score:3, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
As a 30+ year consultant, I've banged my head numerous times against stupid 'security'. Many times, I simply refused to follow their procedures. Let some company goon do the stupid thing. I'm paid to be an analyst and if I spot a problem and report it, I'm certainly not going to follow procedures I myself have labeled as bad.
The consultant is the primary blame and the intern a very far second. Just because a company has bad procedures doesn't mean you follow them.
Re:Makes sense not to report for a bit (Score:3, Insightful)
That's like not reporting your car stolen and just hoping it will turn up somewhere unscathed because it was a 1989 honda. Sure, it's not worth much to anyone but you, but not letting the police do their job is plain stupid.
Re:I think the bigger problem (Score:3, Insightful)
And this is why (Score:4, Insightful)
They are essentially a pyramid scheme to keep old people happy. You have to put them on everything, because they have become a national ID number. People are to complacent with that.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Insightful)
I take it that you are a relatively savvy tech-head geek. Would you be able to line up a buyer for social security or other personal information?
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Insightful)
Someone on the outside was paying the $125 consultant for the data, so the consultant set up that little scenario so his buddies on the outside could get their hands on the data, making what was an espionage job look like a little bit of regular garden variety bureaucratic incompetence.
Re:Are you really trying to blame Bush? (Score:3, Insightful)
Which leads to the obligatory:
You don't know the power of the Dark Side
Seriously, every President of the United States goes through this at one point or another. You're the most visible representation of authority in the United States, so when something bad happens, people blame you. Doesn't matter that you had no way of doing it, no control over the process that caused it, or didn't care about it. I don't think W is going to rank up there with the best President's when it's all said and done, and he's certainly not on my Christmas card list, but the rampant need to blame everything on him is ludicrous. Besides, we Americans only have ourselves to blame -- we elected him! Well... I didn't... I voted for Optimus Prime...
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Insightful)
I don't doubt that happens but in my own experience I have rarely found it to be the case. Sure they don't always agree with me, but they do listen.
"Consulting is no fun, except the paychecks tend to be pretty good."
If your not "having fun" then get the fuck out of the kitchen.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
This has absolutely nothing to do with the Bush administration however, the blame lies squarely on the state and nobody else.
Re:Scapegoat? Maybe, but he's still a moron. (Score:2, Insightful)
Often a criminal will set his target - "I'm going to get that stereo" or "This idiot leaves computer like stuff in the car. Maybe I'll find a laptop". Once the window is broken, you grab anything that isn't bolted to the car frame and run like hell. It could have been some backup tapes this time or it could have been a case of blank CD-Rs. Don't matter once the window is broken.
After you get away, then you sort out the goods. Again, most guys don't know what they have but there are plenty of people on the streets, a whole network in fact, that can appraise the loot. One of those guys might have an IT background and know what those tapes are.
Being a criminal isn't all that hard. It just comes with a big risk and limited payoff.
Re:Scapegoat? Maybe, but he's still a moron. (Score:2, Insightful)
Re:Negligence (Score:1, Insightful)
The third being his lack of documented objection to the process and procedure which is obviously faulted.
It's good to see that "just following orders" isn't acceptable in this case, but the thing to remember is that the Germans who were just following their orders didn't absolve them of their crimes, neither did that fact absolve Hitler of his for giving the orders in the first place.
Re:Scapegoat? Maybe, but he's still a moron. (Score:4, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:4, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Insightful)
Just because someone is a "consultant" does not mean they even know what they are doing.
Re:I think the bigger problem (Score:3, Insightful)
Re:Negligence (Score:2, Insightful)
Intern: "I know that I have no experience and no battle-tested skills, but I'm afraid I must disagree with the way you're running this company. My recommendation is to--"
Boss: "Excuse me, but do you work here?"
Intern: "Uh, yeah. Summer program."
Boss: "Well, this year, Fall's comin' early!"
It is to laugh. But seriously, in the service of battling this apparently massive epidemic of worldwide intern negligence, I have done a bit of research into all of the "documented objections to process and procedure" which have ever been initiated by interns, throughout all of time and space. Here's the complete list...
Didja miss it? Sad state of affairs, wouldn't you say? Which begs the question: WHY are America's interns so incompetent? We need to train our interns! In fact, somebody should start some sort of training program with this very thing as its goal. Why even stop there? Why not a training program at every company? America needs to get its act together, because education is everything.
Why is this marked as 'Troll' (Score:3, Insightful)
Yesterday, I was the first on the scene to an accident. A kid (temporarily, I believe) lost vision in one eye when the air bag smacked him in the face. I think it was my duty to report everything that I did (check for injuries, make sure he was coherent, move some debris out of the road) to the police officers & ambulance crew. The police can decide was matters, they do this every day. I am a novice & my opinions as to what matters is inferior to their experience.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Insightful)