Slashdot Mirror
Outsourced Confidential Data On Children Posted
Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."
Myself, I'm always careful about 'stripping' any information when posting code samples or looking for help in Forums. I'm surprised this isn't reported more often...
I wonder if the parent company that hired this 'outsourcer', even knows that their data has been compromised...
This, and the Florida case will be brought up again and again. And I am sad to say that these are just the beginning of a long decline.
I have seen some people spread data via slashdot comments encoded with base64 and encrypted. (anyone have a link to a specific occurance - at least one time someone decypted it and posted it) Could slashdot be used as a way to anonymously leak information like this, and use slashdot's general policy of "just mod to -1, don't delete" towards comments as an advantage? Unlike other forums, posting anonymously leaves nothing but a MD5SUM of your ip to be used in court. Also, if you "post anonymously" while logged in, slashdot caches your username. You can verify if you have mod points by noticing that even when you post anonymously AND change your ip address, you can't mod up/down the comment.
I wonder if they've checked the wayback machine at archive.org.
One line blog. I hear that they're called Twitters now.
First of all, the article is fanning the flames by saying this is a database of children's whereabouts. Okay, this is a problem, but then again it doesn't matter if its children or anyone, it just gets "oh please save the children!" sympathy clicks.
It also doesn't address what I think the biggest problem is. It's obvious to me someone assumed this bozo of a programmer had some not-so-common-sense about posting information to a website. I deal with customer data all the time, and my company has taken some steps to make it a little harder for people who should not need the data to not get the data, and our data exchange policy clearly states "Do not give this data to anyone outside of this company or you will be beheaded!"
I get to this day accountants in our company saying "why can't I peek at this customer's data" to which I reply "Do you have a signficant need? If so, tell your manager to talk to my manager, and I'll be happy to give it to you." I get nothing after that. The customer data we have is for support and development use, not an accountant who has no use for inventory and sales information (at least not in this company). It is also freely accessible amongst those people, who typically only share it within others in their department.
One day a manager might get an idea that looking at a customer's data might give them an idea of their open bills, but that might be unethical or illegal so until a manager says to give access, I won't.
My point is, it could be that the policy was not pounded into this dolt's head, or that a proper data exchange policy even existed. If so, he's still a dumbass, but companies frequently hire dumbasses, which is why you sometimes need a policy to help prevent dumbass behavior. The article puts full blame on the programmer and doesn't really give any blame to the company who hired him.
"All great wisdom is contained in .signature files"
You would not believe the sensitive information we receive. People don't even think about the ramifications when they send us, for example, somebody's high school transcript, or mortgage closing documents, or people's credit reports. We have secret inventory lists for competing companies, each of which would probably kill to get their hands on that information. We have "insider" information on the international banking industry. We have medical records. Prison records. It goes on and on.
Because of this, we have an extremely tight document policy. Data exists on paper only long enough for testing purposes, then it is destroyed. The bug tracking database is purged of old test cases on a regular basis. Customer files never leave this office, in paper form or otherwise.
In fact, as I write this message, I can think of several ways that we should probably be even more paranoid. Fortunately, the officers of the company take our responsibilities very seriously, and there has never been any serious breach of customer confidentiality. I hope there never is.
The programmer who posted identifiable information to a public web site, because he was too incompetent to solve his own problems, is an idiot who should be fired and beaten with a wicker cane.
I work for a large healthcare organization. A while back, we caught some heat because we were transferring a lot of patient data over to India for use in one of our offshore projects and a local newspaper found out about it. Our official response was "Hey, Americans do this work too. It's not necessarily safer there than here."
A month later, one of the outsourced programmers took off with a couple of backup tapes and blackmailed my company.
This exposed the real issue at hand here: Offshore workers aren't in America, which means that we found ourselves unable to bring the weight of American law enforcement to bear on this person. In America, we would have had the FBI kicking in this guy's door within the hour. Instead, this individual simply moved to a different part of India, which is apparently like moving to another planet for the purposes of getting them arrested. The issue was clamped down on by management before the resolution, but the word around the water cooler is that we just paid them off -- really, the amount of money they wanted was insignificant against the massive PR damage we were looking at.
So while it's true that a worker in America can spill private data just as easily as a worker in the third world, *getting away* with it is a completely different matter. Companies which offshore private data deserve the lawsuits they'll face when something like this actually plays out wrong...
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
It's great to see how different news orgs handle headlines. MSNBC makes pains to name the Government as the offender in it's headline, "Government agency exposes day-care data". Slashdot is a little less breathy and indicates the true source of the leak, the out-sourced coder.
Both could be called correct, but more interesting is how the positioning of the story indicates the inclination of the news source. MSNBC is part of the mainstream news establishment that has been telling us for years that the government hasn't done a good thing since kicking the British out of Yorktown.
Slashdot speaks to a lot of developers who don't ever want to work for a place called "RentaCoder", and don't have a lot of respect for anyone who would.
Personally, I much prefer the Slashdot take on the story.
I'm much funnier now that I'm a subscriber.
Now all we need is for one of those children to be the child of a Congressman. Same way we need just one of the RIAA targets to be some senator's kid off at school...
Schnapple
However, the article suggested that these kids are foster kids, which means that at a minimum they were victims of neglect to the extent that the state stepped in and removed them from their birth parents.
It's likely that a number of these kids were victims of sexual abuse. Needless to say, many of them have views on sexual issues that are warped by their experience. A predator would likely know how to take advantage of their experience.
Also, typically, the goal is to re-unite them with their parents. Obviously, some of these parents are not worth anything. But a number of them are genuinely trying to do whatever they can to make their family right. This doesn't help.
My wife works with kids in this situation, and I don't know any names ever. I don't want to know, and she takes her commitment to their confidentiality very seriously.
I hope we get to hear what becomes of Mr. Mark Dennis, the fine bleeding-edge developer who had to ask RentACoder for database formatting help. It would only be fitting if we all got to experience his worst or most vulnerable moment. I'll turn it into HTML for $15.