Intern Loses 800,000 Social Security Numbers

destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."

Re:Scapegoat? Maybe, but he's still a moron.

[Alizarin+Erythrosin]

Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?

Part of me always thinks some of these stories are really fishy...

I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"

People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.

Re:Scapegoat? Maybe, but he's still a moron.

[SatanicPuppy]

Yea, that's kinda what I was thinking wrt the "Tech savviness of the modern criminal."

You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.

I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.

Re:It gets better...er, funnier at least

[TheLink]

Heh, I tried smith, 1234 and got:
Your assigned activation PIN (personal identity number) is 7655616

smith, 1235 = nada
smith, 1236 = 8966764

Then, I tried:
%, 1236 = 3738028

smit%, 1234 = 7655616
smit, 1234 = 7655616
smoth, 1234 = nada
sm_th, 1234 = 7655616 :)

Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.

The management is to be blamed for this. That's pretty much a stupid procedure.

The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.