Slashdot Mirror
Intern Loses 800,000 Social Security Numbers
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
Hell even in that case, why didnt they have a remote backup to prevent loss through a fire or flood.
Yep plenty of blame to go around.
"Slashdot, where telling the truth is overrated but lying is insightful."
The 22 yr olds' response is unacceptable given the amount of press and exposure identity theft is given.
The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.
Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact would be his willingness to do something he felt was a risk, such as taking these tapes home.
The third being his lack of documented objection to the process and procedure which is obviously faulted.
Part of me always thinks some of these stories are really fishy...
I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"
People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.
There are only 10 kinds of people in this world... those who understand binary and those who don't
He's 22! If someone handed me a stack of backup tapes to take home when I was 16 I might have done it, but not at 22! Anything you take home from work is a risk, you should know that by that point.
That being said, yea, the organization is primarily at fault. This is their offsite storage method, according to their disaster of a recovery plan. That it hasn't bitten them in the ass before this is nothing more than luck.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Yea, that's kinda what I was thinking wrt the "Tech savviness of the modern criminal."
You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.
I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Heh, I tried smith, 1234 and got:
:)
Your assigned activation PIN (personal identity number) is 7655616
smith, 1235 = nada
smith, 1236 = 8966764
Then, I tried:
%, 1236 = 3738028
smit%, 1234 = 7655616
smit, 1234 = 7655616
smoth, 1234 = nada
sm_th, 1234 = 7655616
Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.
The management is to be blamed for this. That's pretty much a stupid procedure.
The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.
Consultants reporting to consultants? Great plan if you don't care to remain in control of your company/organization.
Making a single, bottom level, low income person responsible for your most valuable asset, data? Obviously no concept of sensitive information.
No encryption? Dumb, dumber and dumbest omission of data management.
My recommendations:
1) Keep the intern. He now is knowledgeable and will make better decisions on similar matters; however, let him do the job appropriate to his level. Being fully responsible for off site data should not be part of his job.
2) Update the policy in accordance with federal, SOX, ISO 17799 and whatever other standards apply to include data encryption and a *real* off site method.
3) Get rid of one of the consultants. All consultants should be reporting directly to an employee who has interest in the company/organization.
4) Use the money saved by removing the excess consultant to pay a professional company to pickup and store the tapes off site, in a secure, disaster recovery designed site. Iron Mountain does a pretty good job. (or use their online data transfer method) If nothing else, purchase a small, fireproof box with a lock and make the manager carry it home each night.
These are really basic IT management decisions. I feel sorry for the people relying upon such an organization with an obvious lack of skill or concern.
I took on an internship at about that age at one of the world's largest packaged foods companies, where I thought I would be maintaining some data on spreadsheets. That turned out to be true, but more specifically, it was vital contact info, security measures, and dozens of other related bits of info in order to comply with a post-9/11 bioterrorism regulations. I was to call these hundreds of different processing plants and make sure the info was less than three months old. I would be the one and only person in charge of this information for the entire company.
When I inherited the info, I saw that it was already quite behind and out-of-date (and I also noticed that there was an error in the 30+ part questionnaire being used where the numbers were off, so all the data on the spreadsheet was potentially wrong). I envisioned headlines such as this, only with some sort of food contamination disaster or plant explosion, and my photo with the caption "Didn't maintain bioterrorism database".
I got the hell out of there immediately. In my opinion, the fact that this was such a small-time job with low pay, and the fact that I was only 22 with no family, made it infinitely easier for me to say "no way, sorry, this is ridiculous" and just be done with it. If the guy had a family of five and had worked at the company for years and suddenly had to risk it all by taking these tapes, then I could understand why he would be conflicted. This guy here had everything to lose and very little to gain by taking those tapes.
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
Sure, you can buy plenty of tape drives, but are you going to get them to work? To read the right block size? To decode the file format used by the backup tool? To possibly even deal with EBCDIC? This archive was probably split across several tapes. I've worked with several tape systems, mostly SCSI on Linux. It's remarkably hard to get things to work consistently, even when using the simplest tools, or when using some of the nicest. By "work consistently", I mean: consistently restore files when needed. ("Nobody cares about backup. Everybody cares about restore." -- Benjy Feen)
Looks like some Smiths are going to find out their SSN has been stolen whether or not they know how to use a computer
Life is rarely fair. Cherish the moments when there is a right answer.
If I were in either situation, yours or the Ohio intern's, I'd do what I was told but tell my boss this was a bad idea. I've been an intern in a few places with ridiculous practices and every time I'll tell them which ones are improper. The company you worked for? Perhaps you could have told them you needed more help to update things, that the last intern was bad at his job, etc. etc.
This guy needed to show some initiative and some common sense: bring backup tapes inside with you, ask why it was the intern's job to bring them home (why not the contractor's house?) and whether there was a way to backup the data onto a remote server. He'd probably get brushed off but maybe something would change.
Back when I was a computer engineering student at Western Michigan University, my assembler class (x86, taught by the EE department -- I also has SPARC assembler taught by the CS department) used a textbook published by DeVry. I was a little taken aback when I noticed that.
These tapes were not stolen by a 'common' theif like a crackhead. What makes what you have appealing to someone looking for money? The fact that you have something they know they can sell quickly, which is usually something like electronics, laptops or tape decks. The whole reason for that is they want to be able to sell it to the very next person they see, they don't want to explain what it is cause they don't know. Who would really want to buy data tapes out the back of a van or on the street anyway? It doesn't make sence that the consultant wanted tapes that were reasonably out of harms way taken out of the building just to have them returned the next day? That doesn't make and sence, but it does set up an excellent pigeon for someone who does know what is on those tapes.
As most will know on this site anyone making anywhere close to $10/hr likely is not trusted enough to go for coffee and get the order right let alone carry data for 800k clients for no apparent reason.
Since when does any company tell you to take sensitive data to your own home just to bring it back later?
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.