Outsourced Confidential Data On Children Posted

Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."

Who do you trust?

[DarkHelmet]

Who do you trust? And who do you get to solve something like this?

Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?

You can take this to the extreme, and be wary of anyone to handle private data about you. But then, if there's that sort of outcry, nobody would be able to handle it, would they?

I suppose it's better than having the Smoking Man from the X-Files having a file about you, and a blood sample. I find most programmers to have a certain level of professionalism to what they do.

I personally have access to roughly 10,000 credit card numbers. I'll never abuse the fact that I have access to them. But on the other hand, I'm not stupid enough to post all of them on the net for everybody to see, either.

I hope anybody who ends up doing something that stupid becomes a victim of identity theft. That'll really open their eyes to respecting other people's privacy.

By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at.

Re:Who do you trust?

[R2.0]

"By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at."

Yes, it would suck if my daily schedule was put up in the internet. Then I'd have to worry about pedophiles or my crazy parent with the restraining order snatching me up.

Oh, wait - I'm an adult male who carries a cell phone, "pocket knife", and just enough martial arts experience to get me out of (okay, into) trouble.

Stories like this about children ARE different. Adults might have the means and methods to deal with the consequences of such a massive blunder. Children DO NOT! Especially lists about kids in day care: children who are pre-selected to be literally unable to take care of themselves.

Oh, and your "even worse" example sucks too. At least women in shelter are somehow connected with help. Think instead of a database of phone calls to an abuse hotline - lots of women who are totally vulnerable.

To borrow from the pigs in "1984": All privacy breeches are equally bad, but some are just way effin' worse than others.

Today's lesson:

[American+AC+in+Paris]

When you're looking to cut corners, be careful who you give the scissors to...

Maybe now someone will pay attention.

Talk of identity theft, damaged credit, and so on may not rile up the Soccer Moms of the world, but once something affects the children, watch and admire as their mouths begin to froth!

Downside of outsourcing

[johndiii]

When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.

Before we bash on outsourcing...

[wan-fu]

... before everyone starts bashing on outsourcing, let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer. This could just as well happen on usenet with someone asking for programming advice from any company. It is the programmer who was not careful with data and the fault is on his side (and possibly the company who gave him the data and did not give him specific instructions for care of the data).

Re:Before we bash on outsourcing...

[laird]

"let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer"

I'm not sure it's "unscrupulous" as clueless. Whether he's paid as an employee, a consultant, or a sub-contractor, he's just as responsible to treat sensitive data appropriately. He should have been fired the first time, or at least warned in writing and fired the second time. Allowing this to happen three times exposes both the agency (who's responsible for managing its vendors) and the vendor to tremendous liability because they've obviously not taken this issue seriously.

Re:Before we bash on outsourcing...

[Perl-Pusher]

Didn't read the article eh? I'll post the important part.

County attorney David Morris said that programming work for the day-care center had been outsourced to the locally-based Genesee Community College. The manager of the college's program refused to speak to a reporter, but Morris said Dennis was a third party consultant hired by Genesee. Dennis, in turn, used RentACoder to once again subcontract the database work, which ultimately fell to a New Jersey-based programmer. By that time, the programmer actually working on the day-care data was four steps removed from the county's social services program.

So the gist is they outsourced to a CommunityCollege who then outsourced it to a website. The coder who answered the website not only didn't know what he was doing and tried to get someone else to help him, he probably had no idea the significance of the data to begin with. Since nobody who had a clue actually hired him. Outsourcing something that important is exactly what is wrong. I've seen companies outsource jobs that were essential to the well being of the company and nobody in charge (CEO,CIO) will admit that the reason the business failed was due to putting something critical in the hands of others who didn't have the same priorities as them. You should only outsource when the task is not critical and doing it yourself is too expensive. If it's important and you don't have the expertise, hire employees who do. Then when something is needed, you get it when you want it and how you want it. If neither is possible choose another line work.

Obvious bias in post!

[teetam]

Couldn't a "non-outsourced" developer make the same mistake? What does this have to do with outsourcing at all? Seems to be a very leading post to me, designed to generate the usual angry, anti-outsourcing replies.

Re:Obvious bias in post!

[totatis]

Well, yes and no.

In theory, a non-outsourced developer can do the same mistake. But there is something important called relationship and trust.

If a developer is in-house, if he has talked to clients, project manager, if he had be given a lecture on how the data is sensitive, you can bet that this developer will not mistakenly post that data on the web. Sure he can be corrupted, but that's not what happened here.

On the other hand, if some code-monkey receives some coding to do for an unknown company, in an unknown place, for an unknown application, and he is given a set of data not knowning what it is, then he might publish his data without knowning what he is doing.

The "outsource" stuff is important, not because of some "save jobs" issue, but because it implies the developer should never had received this data in the first place.

If some company/government entity outsources some programming job, it should give said developers only fake datas. And administration jobs with access to the real datas should be done by trusted guys.

Does even outsourced matter?

[Uber+Banker]

The fact is this person revealed details against their contract code and more importantly, if they are in this position they should have the moral/ethical decency not to do this.

Whether they were outsourced or not outsoured does not matter (IMHO) - they still have a personal moral/ethical judgement... FT government contractors are not great saviours, rather this individual is one with poor/sick ethical judgement (it is in no way 'freedom of speech' to disclose confidential/sensitive information about young kids).

I do not believe outsourcing creates a more or less trustworthy/moral/ethical situations/employees (well, they just have less benefits rights and more legal liability if somethinggoes wrong), it is the individual who makes a better individual and avoids being a piece of scum.

California SB 1386

[JohnsonWax]

California has a bill designed to deal with these situations, though it's not clear if it would apply to this specific situation.

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_135 1- 1400/sb_1386_bill_20020926_chaptered.html

The problem is that the bill is designed for data theft, not for dipshits giving it away for free. Nevertheless, the bill requires that consumers whose data has been stolen be notified through viable means - email, letter, public notice if they can't be identified. Fines to the company for not doing this and the person responsible for the data is open to civil action.

The main problem I see from the article is that the impacted individuals may not be notified, which is just wrong. Granted, this kind of thing probably can't prevented (minimized, yes, stopped, no) but there's a right way to address the problem and a wrong way. At least notify the affected people of what's happened.