Ohio Data Leak Gets Pinned On The Intern

from the passing-the-buck-eye dept

You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern's car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he's being made the scapegoat for the loss. Despite the governor's claims to the contrary, of course the intern's being scapegoated, even though he apparently was just doing what he was told. That's how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he'd been given, and that the real problem here was a flawed security plan that was either devised by an idiot, or, more likely, by somebody who didn't take the security of other people's personal info very seriously. That's the problem here: nobody seems to care when it's other people's data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it's not a good one. Until that changes -- and the scapegoating and responsibility shirking stops -- data leaks and breaches are going to keep on coming.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jul 27th, 2007 @ 7:44pm

    It's all Microsoft's fault! Buy a Mac!!!!!!

    now let's sit back and watch the flame war begin, and be sure to read the other article about flame wars, you may want to be careful on what you say :)

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Joe, Jul 27th, 2007 @ 8:06pm

    Use Encryption people!

    I went on vacation and took an external usb powered drive with me along with a Linux live CD in case I needed to use the data on it. TrueCrypt is a really wonderful piece of software. Thieves would find nothing useful on that external drive and reformat it to use as their own. My company data could not have been exploited since it was encrypted with AES 256 and a nice strong keyfile/password. Quite simple solution that no state or federal government will use because the IT staff is not competent... TrueCrypt also runs on Windows.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Ohio Guy, Jul 27th, 2007 @ 8:09pm

    Oh Please.

    Sure there's blame to go around, but this kid leaves a data tape in an UNLOCKED car overnight, and gets mad when people blame him. Yeah. Hard to imagine.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jul 27th, 2007 @ 8:21pm

    The kid deserves to be canned for doing something that stupid, but he shouldn't be the only one. Shame on the state for this fake action plan.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jul 27th, 2007 @ 9:03pm

    this kid was following procedures.

    he should sue from wrongful termination.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jul 27th, 2007 @ 9:52pm

    Who in their right mind would require someone to take home information like that as part of security! They are a bunch of idiots! That data should be encrypted and kept in a safe! Yes the intern has some blame, but the person who came up with the idea of taking that stuff home deserves more!!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    JT, Jul 27th, 2007 @ 9:56pm

    I actually work for the State of Ohio IT and the comment "the real problem here was a flawed security plan that was devised by an idiot" is absolutley true, idiot may be reaching a little high. Whats below that?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jul 27th, 2007 @ 10:33pm

    Re:

    Please. You're behind the times. All the cool kids these days say, "Use Linux. Cuz you know if they were using Linux then this would not have happened."

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Bob Knight, Jul 28th, 2007 @ 2:33am

    Intern Fired

    This is a case where I hold the intern without blame at all.
    I don't care that his car was not locked. I live in a place where you can leave things unlocked. But regardless the thief is who stole the drive.
    The persons that are responsible are, the one to come up with the idea of the take home hard drive, and the one that signed off on the idea.
    As they are civil servants, no merit raises, no promotions, and they should be put at the bottom step of their pay grade.
    The only other option, their resignation.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    some Buckeye-crazy fool that thinks he knows every, Jul 28th, 2007 @ 4:07am

    Re: Use Encryption people!

    Joe... come on... before this happened, the taxpayers of Ohio would've thrown a fit if they'd found out the "not competent" IT staff and spent tax dollars on unnecessary encryption software. The newspapers would have crucified them for "government excess" and someone higher in the food chain than an intern would've lost their job.

    No reasonable person would argue that this was a big smack in the face for some obviously less than cautious people... but keep in mind how difficult of a job they have of protecting that sensitive data... all while not spending a dime of those person's tax money.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Overcast, Jul 28th, 2007 @ 4:44am

    Good move!

    It's the interns fault, as well as the fault of whatever 'management' decided that was a good data protection policy.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Craig, Jul 28th, 2007 @ 6:36am

    Plenty of blame to go around

    Weak link #1: Careless intern leaves data tape in unlocked car overnight (bad move)

    Weak link #2: Procedures that require said intern to take tape home with him (bad design)

    Weak link #3: Poor encryption standards that would allow critical data like this to even potentially be usable by a 3rd party (bad choice)

    So, let's make sure every failure point gets addressed. The intern should certainly be canned (with cause), but the systems and policies ALSO need overhauling.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    AK (profile), Jul 28th, 2007 @ 7:16am

    How can people blame the intern???

    You people are killing me!!!! How can you blame the intern? What justification can you have for that? As an intern at one time, let me explain how these things work...

    "Hey Joe, take this thing home with you tonight."

    "Sure, Mac, what is it?"

    "Just some backups. We like to have a couple copies off-site every night. I'm taking one too. I would have given yours to Sam, but he's already left."

    "I'm not so comfortable with that - what if something happens?"

    "What's gonna happen? Just throw the thing in your car and bring it back in tomorrow. Besides, it's policy that two different people have backups. You wouldn't want to get fired for refusing to follow policy, would ya?"

    I love geniuses that pass the buck onto an intern that just wants to do his internship, without hassle, so that he gets a reference.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Doug Logan, Jul 28th, 2007 @ 7:45am

    Why was an intern given so much sensitive data?

    While I also agree that the intern probably should have at least locked his car, why was an intern given so much sensitive data? Who is to say that the tape wasn't just "stolen"? Back when there was that whole scandal where social security # information from the bank was being sold the article I read talking about the people being busted stated that they were being paid $1 or more per social security number. If there was even 10,000 social security numbers in that data (and there easily could be on the 100,000's), thats a lot of money for an intern. It was an idiotic decision to trust that data to an intern in the first place, even if there was a policy to take that off site. A more seasoned IT individual might have at least thought about the potential risks associated with the data being lost and would have taken more measures (e.g. bring it into their house).

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Just a Guy, Jul 28th, 2007 @ 9:13am

    The Kid isn't being fired for taking it home it s for not keeping it secured in his Possession or in a secure place over night he didn't follow the procedures to the full extent and thats why he was fired. I'm not saying a security procedure like this is very intelligent but thats why he was fired

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Joe, Jul 28th, 2007 @ 10:14am

    Re: Re: Use Encryption people!

    TrueCrypt is free open source software. No charge for the taxpayer. Runs on Windows and Linux. Windows install is real easy too. Just download and run the installer. Some Linux flavors have install packages too and if you can't find one, download the source and compile it yourself.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Buckeye, Jul 28th, 2007 @ 10:45am

    Has anyone ever heard of a thief who wouldn't break into a house? Would it have made a difference to the thief if the car had been locked? If I give a toddler a handgun, is it the toddler's fault when they blow their own head off?

    An intern by definition is learning on the job, and my home state has provided a really bad example of how to handle sensitive data. He shouldn't be fired because the state has failed to put together a competent disaster recovery program. It was the state that failed to protect the identity of state employees, not the intern.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Gary, Jul 28th, 2007 @ 12:12pm

    I think we can all agree...

    A good security policy allows for human error. You can't just assume that the best case scenario will always be the scenario. I am a disaster recover specialist and ive seen hundreds disaster recovery plans from fortune 500 companies. Government is always the cheapest and dumbest. They will spend 1/2 of whatever you tell them is the required minimum. That's just how it is with Gov. and some other non-profs... oh yeah... they also have next to zero accountability. Put those two things together and you have a failure of a backup strategy and when it fails you have a dozen people pointing fingers and nobody resolving problems.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Cynic, Jul 28th, 2007 @ 2:50pm

    The whole thing smacks of keeping half your money in the mattress in case the bank burns down, and then smoking in bed.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jul 28th, 2007 @ 2:53pm

    Re: Oh Please.

    So, just exactly *where* are you saying he *should* have put it overnight?

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jul 28th, 2007 @ 3:06pm

    Re: Plenty of blame to go around

    Weak link #1: Careless intern leaves data tape in unlocked car overnight (bad move)
    If it was stolen out of an "insecure" rented room some people would try to blame him for that as well. They would say that he should have stayed up all night guarding it. The guy probably wasn't in the "secure data warehousing" business after all and so probably didn't have an appropriate place to keep it. And on top of that, how is it the place of his employer to demand that he provide them free data warehousing on his own time in the first place? There are commercial companies for that kind of thing.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    NoName, Jul 28th, 2007 @ 3:10pm

    Re:

    "The Kid isn't being fired for taking it home it s for not keeping it secured in his Possession or in a secure place over night"
    Did they provide him with this "secure place" you referenced as him not using?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Brian Carnell, Jul 28th, 2007 @ 4:26pm

    NoName is right

    First of all, if the backup wasn't encrypted, then whoever created the security policy in the first place and handed off an unecrypted device with all those SSNs should be fired.

    Second, the intern claims that he was simply told to take the backup home overnight and return it the next day, and the issue of how to secure the backup was never discussed. Again, if that's true, then the fault was with the creators/implementers of the protocol above the lowly intern.

    NoName is correct...if they want the tape secured, they have to be very explicit about what they mean by that. You can't just give employees vague duties and then fire them when they don't follow the specifics you, as a supervisor, should have given them in the first place.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Don1, Jul 28th, 2007 @ 5:47pm

    supervisors

    The worst part is that people who know what we are doing have to open our own shops, while the people who aree dumb enough to implement this stratagy keep getting hired.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jul 29th, 2007 @ 5:43pm

    Re: Re:

    um tard, osx is a flavor of unix

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    tad_scsi, Jul 29th, 2007 @ 9:40pm

    Gimme a break...

    This intern was supposedly a student at DeVry - which actually had something of a good reputation at one time. How do you get past the first weeks of any kind of computing degree without the utter sanctity of data burned into your head? Even if the data is not of such personal nature it is still sacred - would you want to run potentially corrupt data? Data that was corrupted by say - the environment inside a car? Or how about the magnetic fields that may have existed on or about the TV set that he told the Columbus Dispatch was a common repository point for him? My understanding is that the medium was magnetic tape.

    The intern was hopelessly inept.

    Kinda reminds me of the second year student that couldn't figure out why he couldn't get a 11,000 string array to run worth a crap (in 1999). Why aren't the fundamentals being taught and stressed?

    I wrote the governor - as I am in Ohio - and advised that he consider also canning the kid's immediate super, too. The intern had only been with the state for two months when he was charged with the back-up duties. You trust an intern with only two months track record with that stuff? I think not! It also was not - by his own admission - his first time leaving it in a car.

    Only a moron leaves such important data in such an environment to begin with

    For the record - one ALWAYS keeps a back-up of critical data off-site. If you keep it on site and say - there's a theft, or tornado - or highly destructive fire - then you have no back-up at all - or original data either. That's why you keep one off site, the classic back-up schedule and protocol cited is the one devised by Planned Parenthood a couple of decades ago. And that is almost certainly the model used. After all - it takes a mighty safe to also be BOMB proof. A safe alone is not proper security - if the safe is on location where the originating data is.

    I don't know if the Gov ever actually saw my letter - but I did advise him of a company in Columbus that would certainly provide the utmost in data security - and if you need one they are also a very flexible and excellent host - JTLnet. They could deposit their back-ups with JTLnet at almost any hour of the day since they staff 24/7 --- or even backup over the wire -- or both.

    Finally - the intern was 22 - does his mom still wipe the doo doo off his fanny? How on earth do you get to 22 and be that irresponsible in that sort of position?

    There is zip zero excuse for the way the intern handled the data he was charged with protecting.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    holland, Jul 30th, 2007 @ 12:05am

    Hmmm ...

    I guess if we were talking about a chess game, rather than a governmental rush to "CYA," this poor intern would be a punk - I mean a pawn.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Paul, Jul 30th, 2007 @ 4:46am

    Intern Scapegoat

    The intern might have been fired for leaving the tape in his car unlocked, not exactly following the procedure. Several heads rolled other than the interns also, three levels up plus the two contractors that set the plan up.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jul 30th, 2007 @ 8:09am

    Re: Gimme a break...

    tad_scsi,
    After all your bandwagon ranting, you never did state just what you thought the intern should have done. So how about it, just what you thought the intern should have done?

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Rick in Michigan, Jul 30th, 2007 @ 8:59am

    Ohio Data Leak

    I think Joe-Public needs to step up to the plate too and force those in authority who fired the Intern to not only lose their jobs, but do jail time for devising such a pitiful security plan. This is criminal - and with fore-thought, and should be dealt with in that regard - and not just in Ohio, but across the nation.

    Rick In Michigan

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Victim of this leak, Jul 31st, 2007 @ 5:45am

    Re: Ohio Data Leak

    I couldn't agree more with Rick. The entire chain of command revolving around this data should be prosecuted just as those they had stolen it. Until legislation is in place that will hold those responsible for actually responsible these kinds of problem will continue. I am one of the victims of this "loss". I called the Department of Administrative Services, apparently the department that is the cause of this fiasco, and their representative stated the following;

    The back up tape that was stolen was created on a faulty tape drive that had mis-aligned heads, so the data would only be readable by that tape drive or with sophisticated equipment.

    There is no evidence that the data had been accessed.

    His information was on the tape too, but he was not worried.

    These are all a crock!

    The state is paying for a credit verification service called Debix. This service will block any credit verifications until you are contacted and you supply them with your PIN. This service is being provided for 1 year. What happens in year two when the thieves of the tape drive start selling your information off and you are no longer protected? Why should I have to be forced to pay for this kind of protection for the rest of my life because some dip shit intern, and his management team are incompetent?

    For the record I have contacted my state rep. and Mike Foley has not returned any of my emails. This ass clown will not be getting my vote next election. In Fact I will be actively campaigning for who ever runs against him.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This