


Intern Loses 800,000 Social Security Numbers 492
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
"DIAF."
I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.
I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!
Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?
Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
Re: (Score:3, Insightful)
in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable. Heck, even a crackhead would recognize that and try to sell them for a few bucks, not knowing what he really had.
I don't see how a crackhead could line this deal up. Their only market seems to be the pawnshop and the street corner.
I take it that you are a relatively savvy tech-head geek. Would you be able to line up a buyer for social security or other personal information?
Well, I could (Score:5, Funny)
Informative (Score:3, Funny)
Y
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Someone on the outside was paying the $125 consultant for the data, so the consultant set up that little scenario so his buddies on the outside could get their hands on the data, making what was an espionage job look like a little bit of regular garden variety bureaucratic incompetence.
Re: (Score:3, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Funny)
Computer Science:
"So, as you can see, the Halting Problem cannot be solved using Turing Machines; Alan Turing proved this in a paper in..."
DeVry:
"Ok, class, now push the glowy button and let it boot up... Oooh! Shiny! Isn't that SHINY?"
NOT THE SAME.
Re: (Score:3, Interesting)
Re:Scapegoat? Maybe, but he's still a moron. (Score:4, Insightful)
Anna Kournikova nude! (Score:3, Funny)
Re: (Score:3, Funny)
Screw encryption. I just back-up everything on cassette tapes. Just the way my TRS-80 like it! Go Tandy!
My only encryption is labeling the tapes Wham! and Frankie Goes to Hollywood.
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
That being said, yea, the organization is primarily at fault. This is their offsite storage method, according to their disaster of a recovery plan. That it hasn't bitten them in the ass before this is nothing more than luck.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
Re:Scapegoat? Maybe, but he's still a moron. (Score:4, Interesting)
When I inherited the info, I saw that it was already quite behind and out-of-date (and I also noticed that there was an error in the 30+ part questionnaire being used where the numbers were off, so all the data on the spreadsheet was potentially wrong). I envisioned headlines such as this, only with some sort of food contamination disaster or plant explosion, and my photo with the caption "Didn't maintain bioterrorism database".
I got the hell out of there immediately. In my opinion, the fact that this was such a small-time job with low pay, and the fact that I was only 22 with no family, made it infinitely easier for me to say "no way, sorry, this is ridiculous" and just be done with it. If the guy had a family of five and had worked at the company for years and suddenly had to risk it all by taking these tapes, then I could understand why he would be conflicted. This guy here had everything to lose and very little to gain by taking those tapes.
Re: (Score:3, Funny)
Re: (Score:2)
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
As someone who spent a decade or so as a "fricking consultant" I don't find it hard to blame him. If Mr. $125/hr was a half competent consultant he should at the very least have email evidence to show that he tried to change this retarded procedure but was vetoed by his superior. If he has such evidence then rinse & repeat up the PHB ladder.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
As a 30+ year consultant, I've banged my head numerous times against stupid 'security'. Many times, I simply refused to follow their procedures. Let some company goon do the stupid thing. I'm paid to be an analyst and if I spot a problem and report it, I'm certainly not going to follow procedures I myself have labeled as bad.
The consultant is the primary blame and the intern a very far second. Just because a company has bad procedures doesn't mean you follow them.
Re:Scapegoat? Maybe, but he's still a moron. (Score:4, Insightful)
Re: (Score:3, Insightful)
I don't doubt that happens but in my own experience I have rarely found it to be the case. Sure they don't always agree with me, but they do listen.
"Consulting is no fun, except the paychecks tend to be pretty good."
If your not "having fun" then get the fuck out of the kitchen.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Interesting)
Part of me always thinks some of these stories are really fishy...
I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"
People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Interesting)
You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.
I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.
Re: (Score:2)
Re: (Score:3, Funny)
... let's throw a little conspiracy angle in.
OK! Wayne Madsen [waynemadsenreport.com] has a conspiracy theory that all of the data thefts are a black op to populate the Total Information Awareness [wikipedia.org] database, which is itself now a black op.
He maintains a chart of data thefts that shows millions of records from both public and private sources, but the chart is now on the subscription portion of the site.
Re: (Score:3, Interesting)
Part of me always thinks some of these stories are really fishy...
I currently work for a small business where this "take the backup tapes home with you for the night" is exactly their "disaster plan." I'm not saying it's a good plan. But it may be more common than you think.
People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it.
The article did say he'd been doing the same thing for 3 months before the theft occurred. It's not like that was the one and only night he took the tapes home in that manner.
Also, scam sites are going to be all over this (Score:3, Insightful)
Re: (Score:2)
Leaving the tapes in a car overnight is stupid, though.
The biggest problem with moving tapes around is that you have to make sure they're not moved in a car with a great big stereo. Subwoofers can play havoc on magnetic
Re: (Score:3, Informative)
IMO there's nothing wrong with sending tapes home with people.
Agreed -- it's the poor man version of offsite backups, though if they have sensitive information they should be encrypted at the very least. Still, while it probably makes sense for a five man office, it's probably not the best way of doing things for a big operation.
The biggest problem with moving tapes around is that you have to make sure they're not moved in a car with a great big stereo. Subwoofers can play havoc on magnetic media.
Actually, the strongest magnet you have in your house probably isn't strong enough to do anything to modern data tapes. It takes a strong honking magnet to affect modern data tape media in the slightest. You could wrap your DLT/LTO/whatev
Re: (Score:3, Informative)
Sure, I've worked at places that do that ... but sending them home with the intern? Whenever I've seen it done it's been with trusted full time employees, with a paper trail of exact what went to their home.
Re: (Score:3, Informative)
Encrypted backups are not hard to do, although its not in that many backup programs on the Windows side (unless you go to Networker or Tivoli Storage Manager) support solid encryption. The main one that does support encryption is EMC/Insignia's Retrospect on the Windows side, and Arkeia on the UNIX side.
[1]: A solid encryption system is not just clickin
Re: (Score:3, Insightful)
Just because someone is a "consultant" does not mean they even know what they are doing.
Are you really trying to blame Bush? (Score:5, Funny)
Yes, I am (Score:5, Funny)
ObThisWeekend (Score:4, Funny)
Re: (Score:3, Insightful)
Which leads to the obligatory:
You don't know the power of the Dark Side
Seriously, every President of the United States goes through this at one point or another. You're the most visible representation of authority in the United States, so when something bad happens, people blame you. Doesn't matter that you had no way of doing it, no control over the process that caused it, or didn't care about it. I don't think W is going to rank up there with the best President's when it's all said and done, and he'
Hippy (Score:5, Funny)
Re:Scapegoat? Maybe, but he's still a moron. (Score:5, Insightful)
This has absolutely nothing to do with the Bush administration however, the blame lies squarely on the state and nobody else.
Re: (Score:3, Funny)
Sorry, I couldn't resist.
Comment removed (Score:4, Interesting)
Re: (Score:2)
Which is precisely why offsite copies are made. All legitimate backup schemes involve the offsite storage of tapes. Most companies contract with a company that specializes in this sort of thing, like Iron Mountain. All data centers are at risk of physical catastrophe in addition to fires. Earthquakes, tornados, floods, hurricanes, etc depending on locale. Shipping the tapes offsite is not the probl
Re: (Score:2)
It's easy, sensible, reasonably secure. The offsite location is a satellite office, they have a locking tape safe in which they store the tapes. If the tapes were stolen, most of the
I think the bigger problem (Score:4, Insightful)
Re:I think the bigger problem (Score:5, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3)
http://www.heartland.org/Article.cfm?artId=18746 [heartland.org] - 15.8 million state and local
So over 10%. Which probably doesn't include state and local contractors. Or the industrial part of the "military-industrial complex"...
Re: (Score:2)
For instance, I got a letter that my number was stolen, because I (apparently) was on a list of people who hadn't cashed their tax return check by some date or another. I don't work for the Ohio state government, though.
The article says that 770,000 of the numbers were from tax payers, and 64,000 were from state employees.
Re: (Score:2)
And I think the bigger problem (Score:5, Informative)
There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.
prime suspect (Score:5, Funny)
Re: (Score:2)
The parent said:
Who the hell would buy a Ferrari with gas prices the way they are?
Uh-oh. (Score:5, Funny)
Didn't anyone think (Score:2)
Would they have handled it any differently if it was?
Bring these back tomorrow? (Score:2)
Cheers!
Re: (Score:2, Informative)
Re: (Score:2)
Wouldn't that make a lot more sense and be a hell of a lot safer?
Re: (Score:3, Informative)
They just did it in a horribly horribly bad way. There are lots of other state buildings around they could transfer things to regularly. Having anyone, let alone an intern, take them to their home instead is simply stupid. As is leaving company property unattended in your car. Having them do that with unencrypted data was just batshit insane.
Small mistake in title... (Score:5, Funny)
Fixed it for you.
7.3%- Sounds about right (Score:3, Insightful)
Re: (Score:3, Funny)
everyone BUT the intern should be fired (Score:5, Insightful)
i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.
i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..
-r (has NO problem believing the intern's story 100%)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
I want to know why someone felt t
Re: (Score:2)
Don't worry! (Score:2)
Thanks a Lot Genius (Score:2)
You know what they say, "if an intern triples yo
Re: (Score:2)
Tom
Makes sense not to report for a bit (Score:5, Insightful)
If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.
Dan East
Re: (Score:3, Insightful)
That's like not reporting your car stolen and just hoping it will turn up somewhere unscathed because it was a 1989 honda. Sure, it's no
Why is this marked as 'Troll' (Score:3, Insightful)
Yesterday, I was the first on the scene to an accident. A kid (temporarily, I believe) lost vision in one eye when the air bag smacked him in the face. I think it w
It gets better...er, funnier at least (Score:5, Informative)
http://ohio.gov/idprotect/lookup/lookup.aspx/ [ohio.gov]
On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.
Re:It gets better...er, funnier at least (Score:5, Interesting)
Your assigned activation PIN (personal identity number) is 7655616
smith, 1235 = nada
smith, 1236 = 8966764
Then, I tried:
%, 1236 = 3738028
smit%, 1234 = 7655616
smit, 1234 = 7655616
smoth, 1234 = nada
sm_th, 1234 = 7655616
Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.
The management is to be blamed for this. That's pretty much a stupid procedure.
The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.
Libertarians rejoice! (Score:2)
Why take it home (Score:2)
Simple Solution To All This (Score:4, Insightful)
There is a simple solution to this kind of thing. You take the SSN, bank account and CC numbers of the person in charge (the General, Congressman, CEO etc.) and you put them in every container, laptop, tape, HDD, USB stick, etc. that has private information on it.
Problem solved.
Negligence (Score:2, Interesting)
The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.
Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact woul
Old news (Score:2)
gpg/pgp encryption (Score:2)
Re: (Score:2)
Please enact a law requiring that each and every use of our SSN be verified by the assignee (by phone, in-person, etc) of the SSN. Force the credit-granting agencies to verify before granting credit in such a way that the verification could only be used one time, for a limited time frame, for a set amount of credit to extend. Write the law in such a way that the credit issuer and credit agency are responsible for any un-verified credit and not the holder of the SSN.
This will undoubtedly
A few points on his statement (Score:3, Insightful)
1) He also obviously did not take time to investigate or read the policy. Granted .. this can be also blamed on supervisor's. But there is no 'patch' for ignorance, correct? Sometimes you only get one shot.
2) If he had any idea what was on the tape, he should not have left it in his car. I don't know if it was in the open or not, but 'intern' or not, he should be aware of the sensitivities of that sort of data. He commented on the policy (which he was not aware of until after the fact ... we've covered that) and said it was "unreasonable to assume that the person would not stop somewhere on their way home". (He is questioning the policy, but we'll cover that next.) Again ... if I knew what was on that tape (granted, I am not an innocent, young 'intern'), I wouldn't take it. If forced to, I wouldn't let it out of my sight til in my home.
3) He *should* question policy if he wants to be valued .. hopefully he learns from that. That's something I look for in a valuable employee. Questioning does not necessarily mean 'defy' (which I think is what he is trying to say). If not questioning the policy, he should be asking "This stuff is encrypted, right?"
They are kind of going after the young intern as someone to pin this on, I'm sure. However, I don't think he can/should hide behind his 'intern' label and fire his pop-gun back saying none of it is his fault. He should admit his part in the mistakes and what he would not repeat ... then point to the broken policy / security model.
Also hope they have fraud alerts set up on those 770,000 people and are ensuring they have state-provided equifax accounts! ;)
I live in Ohio (Score:2)
Gmail (Score:2, Funny)
9 digits in an SSN number
1 comma delimiter per number
-----------
8,000,000 digits
This is still under Gmail's 10mb per email rule. He could have just emailed himself the list as backup.
(yes, I know there's more data than the number. That's why you get 2.8gb+ of space!)
The ones to blame (Score:2)
Maybe there should be a law that automobile license plate numbers should be the same as the owner's SSN. That would put a damper on the temptation to use SSNs as some kind o
Re: (Score:2)
And this is why (Score:4, Insightful)
They are essentially a pyramid scheme to keep old people happy. You have to put them on everything, because they have become a national ID number. People are to complacent with that.
Re: (Score:2)
$125 an hour? (Score:4, Funny)
outsourcing at is best (Score:2)
I suspect an "Inside Job"... (Score:2)
There's careless, there's stupid....and then there's pre-meditated.
I suspect he might be right about the "scapegoat" claim. There is just too many mistakes here by too many people who should have known better for me to accept as a pure "accident"
Check the local flea markets? (Score:2)
I wonder if there are people at computer swap meets/hamfests with boxes of tapes that they sell for a few bucks apiece with interesting stuff on them.
There have been multiple incidents of people buying "junk" HD's secondhand, taking them home and finding interesting stuff on them.
They're all stupid (Score:4, Interesting)
Consultants reporting to consultants? Great plan if you don't care to remain in control of your company/organization.
Making a single, bottom level, low income person responsible for your most valuable asset, data? Obviously no concept of sensitive information.
No encryption? Dumb, dumber and dumbest omission of data management.
My recommendations:
1) Keep the intern. He now is knowledgeable and will make better decisions on similar matters; however, let him do the job appropriate to his level. Being fully responsible for off site data should not be part of his job.
2) Update the policy in accordance with federal, SOX, ISO 17799 and whatever other standards apply to include data encryption and a *real* off site method.
3) Get rid of one of the consultants. All consultants should be reporting directly to an employee who has interest in the company/organization.
4) Use the money saved by removing the excess consultant to pay a professional company to pickup and store the tapes off site, in a secure, disaster recovery designed site. Iron Mountain does a pretty good job. (or use their online data transfer method) If nothing else, purchase a small, fireproof box with a lock and make the manager carry it home each night.
These are really basic IT management decisions. I feel sorry for the people relying upon such an organization with an obvious lack of skill or concern.
Re: (Score:2)
That, and he should know better than to not report something stolen to the police... especially if its someone else's property.
Re:It Figures... (Score:5, Insightful)
To all the comments that are calling the intern an idiot for leaving the tapes in his car, I ask you this: where should he have stored them? In his apartment which can be just as easily broken into? Was he supposed to rent out a protected storage unit at his own expense? The correct answer is that he should have never been responsible for storing them. Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?
Re: (Score:2)
Uh, yes. That is emperical fact. They were in his car and he left them unattended.
"... where should he have stored them?"
No. '... why would he have taken them?'
Interns aren't tabula rasa, they're just inexperienced. What background did he have? Any IT schooling? If so, he was aware of what he was doing. All the persons in the chain of command are guilty, even the peons.