Intern Loses 800,000 Social Security Numbers 492
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
Comment removed (Score:4, Interesting)
Re:Are you really trying to blame Bush? (Score:1, Interesting)
Negligence (Score:2, Interesting)
The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.
Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact would be his willingness to do something he felt was a risk, such as taking these tapes home.
The third being his lack of documented objection to the process and procedure which is obviously faulted.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Interesting)
Part of me always thinks some of these stories are really fishy...
I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"
People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Interesting)
That being said, yea, the organization is primarily at fault. This is their offsite storage method, according to their disaster of a recovery plan. That it hasn't bitten them in the ass before this is nothing more than luck.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Interesting)
You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.
I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.
Re:It gets better...er, funnier at least (Score:5, Interesting)
Your assigned activation PIN (personal identity number) is 7655616
smith, 1235 = nada
smith, 1236 = 8966764
Then, I tried:
%, 1236 = 3738028
smit%, 1234 = 7655616
smit, 1234 = 7655616
smoth, 1234 = nada
sm_th, 1234 = 7655616
Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.
The management is to be blamed for this. That's pretty much a stupid procedure.
The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.
They're all stupid (Score:4, Interesting)
Consultants reporting to consultants? Great plan if you don't care to remain in control of your company/organization.
Making a single, bottom level, low income person responsible for your most valuable asset, data? Obviously no concept of sensitive information.
No encryption? Dumb, dumber and dumbest omission of data management.
My recommendations:
1) Keep the intern. He now is knowledgeable and will make better decisions on similar matters; however, let him do the job appropriate to his level. Being fully responsible for off site data should not be part of his job.
2) Update the policy in accordance with federal, SOX, ISO 17799 and whatever other standards apply to include data encryption and a *real* off site method.
3) Get rid of one of the consultants. All consultants should be reporting directly to an employee who has interest in the company/organization.
4) Use the money saved by removing the excess consultant to pay a professional company to pickup and store the tapes off site, in a secure, disaster recovery designed site. Iron Mountain does a pretty good job. (or use their online data transfer method) If nothing else, purchase a small, fireproof box with a lock and make the manager carry it home each night.
These are really basic IT management decisions. I feel sorry for the people relying upon such an organization with an obvious lack of skill or concern.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Interesting)
Re:Scapegoat? Maybe, but he's still a moron. (Score:4, Interesting)
When I inherited the info, I saw that it was already quite behind and out-of-date (and I also noticed that there was an error in the 30+ part questionnaire being used where the numbers were off, so all the data on the spreadsheet was potentially wrong). I envisioned headlines such as this, only with some sort of food contamination disaster or plant explosion, and my photo with the caption "Didn't maintain bioterrorism database".
I got the hell out of there immediately. In my opinion, the fact that this was such a small-time job with low pay, and the fact that I was only 22 with no family, made it infinitely easier for me to say "no way, sorry, this is ridiculous" and just be done with it. If the guy had a family of five and had worked at the company for years and suddenly had to risk it all by taking these tapes, then I could understand why he would be conflicted. This guy here had everything to lose and very little to gain by taking those tapes.
Re:Tape = encryption (Score:2, Interesting)
Re:It gets better...er, funnier at least (Score:2, Interesting)
Looks like some Smiths are going to find out their SSN has been stolen whether or not they know how to use a computer
Re:Scapegoat? Maybe, but he's still a moron. (Score:1, Interesting)
This guy needed to show some initiative and some common sense: bring backup tapes inside with you, ask why it was the intern's job to bring them home (why not the contractor's house?) and whether there was a way to backup the data onto a remote server. He'd probably get brushed off but maybe something would change.
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Interesting)
Re:Scapegoat? Maybe, but he's still a moron. (Score:3, Interesting)
As most will know on this site anyone making anywhere close to $10/hr likely is not trusted enough to go for coffee and get the order right let alone carry data for 800k clients for no apparent reason.
Since when does any company tell you to take sensitive data to your own home just to bring it back later?