Ohio Data Leak Gets Pinned On The Intern

from the passing-the-buck-eye dept

You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern’s car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he’s being made the scapegoat for the loss. Despite the governor’s claims to the contrary, of course the intern’s being scapegoated, even though he apparently was just doing what he was told. That’s how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he’d been given, and that the real problem here was a flawed security plan that was either devised by an idiot, or, more likely, by somebody who didn’t take the security of other people’s personal info very seriously. That’s the problem here: nobody seems to care when it’s other people’s data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it’s not a good one. Until that changes — and the scapegoating and responsibility shirking stops — data leaks and breaches are going to keep on coming.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Ohio Data Leak Gets Pinned On The Intern”

Subscribe: RSS Leave a comment
Joe says:

Use Encryption people!

I went on vacation and took an external usb powered drive with me along with a Linux live CD in case I needed to use the data on it. TrueCrypt is a really wonderful piece of software. Thieves would find nothing useful on that external drive and reformat it to use as their own. My company data could not have been exploited since it was encrypted with AES 256 and a nice strong keyfile/password. Quite simple solution that no state or federal government will use because the IT staff is not competent… TrueCrypt also runs on Windows.

some Buckeye-crazy fool that thinks he knows every says:

Re: Use Encryption people!

Joe… come on… before this happened, the taxpayers of Ohio would’ve thrown a fit if they’d found out the “not competent” IT staff and spent tax dollars on unnecessary encryption software. The newspapers would have crucified them for “government excess” and someone higher in the food chain than an intern would’ve lost their job.

No reasonable person would argue that this was a big smack in the face for some obviously less than cautious people… but keep in mind how difficult of a job they have of protecting that sensitive data… all while not spending a dime of those person’s tax money.

Bob Knight says:

Intern Fired

This is a case where I hold the intern without blame at all.
I don’t care that his car was not locked. I live in a place where you can leave things unlocked. But regardless the thief is who stole the drive.
The persons that are responsible are, the one to come up with the idea of the take home hard drive, and the one that signed off on the idea.
As they are civil servants, no merit raises, no promotions, and they should be put at the bottom step of their pay grade.
The only other option, their resignation.

Craig (user link) says:

Plenty of blame to go around

Weak link #1: Careless intern leaves data tape in unlocked car overnight (bad move)

Weak link #2: Procedures that require said intern to take tape home with him (bad design)

Weak link #3: Poor encryption standards that would allow critical data like this to even potentially be usable by a 3rd party (bad choice)

So, let’s make sure every failure point gets addressed. The intern should certainly be canned (with cause), but the systems and policies ALSO need overhauling.

Anonymous Coward says:

Re: Plenty of blame to go around

Weak link #1: Careless intern leaves data tape in unlocked car overnight (bad move)

If it was stolen out of an “insecure” rented room some people would try to blame him for that as well. They would say that he should have stayed up all night guarding it. The guy probably wasn’t in the “secure data warehousing” business after all and so probably didn’t have an appropriate place to keep it. And on top of that, how is it the place of his employer to demand that he provide them free data warehousing on his own time in the first place? There are commercial companies for that kind of thing.

AK (profile) says:

How can people blame the intern???

You people are killing me!!!! How can you blame the intern? What justification can you have for that? As an intern at one time, let me explain how these things work…

“Hey Joe, take this thing home with you tonight.”

“Sure, Mac, what is it?”

“Just some backups. We like to have a couple copies off-site every night. I’m taking one too. I would have given yours to Sam, but he’s already left.”

“I’m not so comfortable with that – what if something happens?”

“What’s gonna happen? Just throw the thing in your car and bring it back in tomorrow. Besides, it’s policy that two different people have backups. You wouldn’t want to get fired for refusing to follow policy, would ya?”

I love geniuses that pass the buck onto an intern that just wants to do his internship, without hassle, so that he gets a reference.

Doug Logan (user link) says:

Why was an intern given so much sensitive data?

While I also agree that the intern probably should have at least locked his car, why was an intern given so much sensitive data? Who is to say that the tape wasn’t just “stolen”? Back when there was that whole scandal where social security # information from the bank was being sold the article I read talking about the people being busted stated that they were being paid $1 or more per social security number. If there was even 10,000 social security numbers in that data (and there easily could be on the 100,000’s), thats a lot of money for an intern. It was an idiotic decision to trust that data to an intern in the first place, even if there was a policy to take that off site. A more seasoned IT individual might have at least thought about the potential risks associated with the data being lost and would have taken more measures (e.g. bring it into their house).

Buckeye says:

Has anyone ever heard of a thief who wouldn’t break into a house? Would it have made a difference to the thief if the car had been locked? If I give a toddler a handgun, is it the toddler’s fault when they blow their own head off?

An intern by definition is learning on the job, and my home state has provided a really bad example of how to handle sensitive data. He shouldn’t be fired because the state has failed to put together a competent disaster recovery program. It was the state that failed to protect the identity of state employees, not the intern.

Gary says:

I think we can all agree...

A good security policy allows for human error. You can’t just assume that the best case scenario will always be the scenario. I am a disaster recover specialist and ive seen hundreds disaster recovery plans from fortune 500 companies. Government is always the cheapest and dumbest. They will spend 1/2 of whatever you tell them is the required minimum. That’s just how it is with Gov. and some other non-profs… oh yeah… they also have next to zero accountability. Put those two things together and you have a failure of a backup strategy and when it fails you have a dozen people pointing fingers and nobody resolving problems.

Brian Carnell (user link) says:

NoName is right

First of all, if the backup wasn’t encrypted, then whoever created the security policy in the first place and handed off an unecrypted device with all those SSNs should be fired.

Second, the intern claims that he was simply told to take the backup home overnight and return it the next day, and the issue of how to secure the backup was never discussed. Again, if that’s true, then the fault was with the creators/implementers of the protocol above the lowly intern.

NoName is correct…if they want the tape secured, they have to be very explicit about what they mean by that. You can’t just give employees vague duties and then fire them when they don’t follow the specifics you, as a supervisor, should have given them in the first place.

tad_scsi says:

Gimme a break...

This intern was supposedly a student at DeVry – which actually had something of a good reputation at one time. How do you get past the first weeks of any kind of computing degree without the utter sanctity of data burned into your head? Even if the data is not of such personal nature it is still sacred – would you want to run potentially corrupt data? Data that was corrupted by say – the environment inside a car? Or how about the magnetic fields that may have existed on or about the TV set that he told the Columbus Dispatch was a common repository point for him? My understanding is that the medium was magnetic tape.

The intern was hopelessly inept.

Kinda reminds me of the second year student that couldn’t figure out why he couldn’t get a 11,000 string array to run worth a crap (in 1999). Why aren’t the fundamentals being taught and stressed?

I wrote the governor – as I am in Ohio – and advised that he consider also canning the kid’s immediate super, too. The intern had only been with the state for two months when he was charged with the back-up duties. You trust an intern with only two months track record with that stuff? I think not! It also was not – by his own admission – his first time leaving it in a car.

Only a moron leaves such important data in such an environment to begin with

For the record – one ALWAYS keeps a back-up of critical data off-site. If you keep it on site and say – there’s a theft, or tornado – or highly destructive fire – then you have no back-up at all – or original data either. That’s why you keep one off site, the classic back-up schedule and protocol cited is the one devised by Planned Parenthood a couple of decades ago. And that is almost certainly the model used. After all – it takes a mighty safe to also be BOMB proof. A safe alone is not proper security – if the safe is on location where the originating data is.

I don’t know if the Gov ever actually saw my letter – but I did advise him of a company in Columbus that would certainly provide the utmost in data security – and if you need one they are also a very flexible and excellent host – JTLnet. They could deposit their back-ups with JTLnet at almost any hour of the day since they staff 24/7 — or even backup over the wire — or both.

Finally – the intern was 22 – does his mom still wipe the doo doo off his fanny? How on earth do you get to 22 and be that irresponsible in that sort of position?

There is zip zero excuse for the way the intern handled the data he was charged with protecting.

Rick in Michigan says:

Ohio Data Leak

I think Joe-Public needs to step up to the plate too and force those in authority who fired the Intern to not only lose their jobs, but do jail time for devising such a pitiful security plan. This is criminal – and with fore-thought, and should be dealt with in that regard – and not just in Ohio, but across the nation.

Rick In Michigan

Victim of this leak says:

Re: Ohio Data Leak

I couldn’t agree more with Rick. The entire chain of command revolving around this data should be prosecuted just as those they had stolen it. Until legislation is in place that will hold those responsible for actually responsible these kinds of problem will continue. I am one of the victims of this “loss”. I called the Department of Administrative Services, apparently the department that is the cause of this fiasco, and their representative stated the following;

The back up tape that was stolen was created on a faulty tape drive that had mis-aligned heads, so the data would only be readable by that tape drive or with sophisticated equipment.

There is no evidence that the data had been accessed.

His information was on the tape too, but he was not worried.

These are all a crock!

The state is paying for a credit verification service called Debix. This service will block any credit verifications until you are contacted and you supply them with your PIN. This service is being provided for 1 year. What happens in year two when the thieves of the tape drive start selling your information off and you are no longer protected? Why should I have to be forced to pay for this kind of protection for the rest of my life because some dip shit intern, and his management team are incompetent?

For the record I have contacted my state rep. and Mike Foley has not returned any of my emails. This ass clown will not be getting my vote next election. In Fact I will be actively campaigning for who ever runs against him.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...