Intern Loses 800,000 Social Security Numbers

← Back to Stories (view on slashdot.org)

Intern Loses 800,000 Social Security Numbers

Posted by Zonk on Friday July 27, 2007 @01:41AM from the bad-day-bad-day dept.

destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."

74 of 492 comments (clear)

Scapegoat? Maybe, but he's still a moron. by SatanicPuppy · 2007-07-27 01:46 · Score: 5, Insightful

"So what did you learn interning this summer?"
"DIAF."

I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.

I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!

Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?

Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.

--
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
1. Re:Scapegoat? Maybe, but he's still a moron. by baudilus · 2007-07-27 01:55 · Score: 5, Insightful
  
  It doesn't necessarily mean that the criminal element is more tech savvy, but in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable. Heck, even a crackhead would recognize that and try to sell them for a few bucks, not knowing what he really had. The real travesty here is the fact that the tapes were unencrypted. The intern himself could've taken the tapes home, read and copied all the data, returned the tapes, and no one would have known. If you don't want to pay for off-site storage, at least encrypt your data!
2. Re:Scapegoat? Maybe, but he's still a moron. by loafula · 2007-07-27 02:04 · Score: 2, Insightful
  
  i'm willing to bet whoever stole the tapes from the car didn't know what the hell he or she was stealing. they went in for the radar detector, saw the tapes, and grabbed them cause they were there. their probably at the bottom of some restaurant's dumpster by now. or well burnt and buried in the woods. you can't blame the intern too much, though. any institution who's policy is to bring the tapes home probably doesn't stress data security all that much, and him being an intern means he probably doesn't have all that much experience to know just how important it is.
  
  --
  FOXTROT UNIFORM CHARLIE KILO
3. Re:Scapegoat? Maybe, but he's still a moron. by TapeCutter · 2007-07-27 02:10 · Score: 5, Insightful
  
  "Sounds like the whole organization was rotten though, so it's hard to blame them."
  
  As someone who spent a decade or so as a "fricking consultant" I don't find it hard to blame him. If Mr. $125/hr was a half competent consultant he should at the very least have email evidence to show that he tried to change this retarded procedure but was vetoed by his superior. If he has such evidence then rinse & repeat up the PHB ladder.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
4. Re:Scapegoat? Maybe, but he's still a moron. by Alizarin+Erythrosin · 2007-07-27 02:11 · Score: 4, Interesting
  
  Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?
  
  Part of me always thinks some of these stories are really fishy...
  
  I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"
  
  People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.
  
  --
  There are only 10 kinds of people in this world... those who understand binary and those who don't
5. Re:Scapegoat? Maybe, but he's still a moron. by SatanicPuppy · 2007-07-27 02:11 · Score: 2, Interesting
  
  He's 22! If someone handed me a stack of backup tapes to take home when I was 16 I might have done it, but not at 22! Anything you take home from work is a risk, you should know that by that point.
  
  That being said, yea, the organization is primarily at fault. This is their offsite storage method, according to their disaster of a recovery plan. That it hasn't bitten them in the ass before this is nothing more than luck.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
6. Re:Scapegoat? Maybe, but he's still a moron. by Oligonicella · 2007-07-27 02:15 · Score: 4, Insightful
  
  Very much in agreement with you.
  
  As a 30+ year consultant, I've banged my head numerous times against stupid 'security'. Many times, I simply refused to follow their procedures. Let some company goon do the stupid thing. I'm paid to be an analyst and if I spot a problem and report it, I'm certainly not going to follow procedures I myself have labeled as bad.
  
  The consultant is the primary blame and the intern a very far second. Just because a company has bad procedures doesn't mean you follow them.
7. Re:Scapegoat? Maybe, but he's still a moron. by SatanicPuppy · 2007-07-27 02:23 · Score: 4, Interesting
  
  Yea, that's kinda what I was thinking wrt the "Tech savviness of the modern criminal."
  
  You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.
  
  I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
8. Re:Scapegoat? Maybe, but he's still a moron. by lawpoop · 2007-07-27 02:25 · Score: 2, Insightful
  
  in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable. Heck, even a crackhead would recognize that and try to sell them for a few bucks, not knowing what he really had. I don't see how a crackhead could line this deal up. Their only market seems to be the pawnshop and the street corner.
  
  I take it that you are a relatively savvy tech-head geek. Would you be able to line up a buyer for social security or other personal information?
  
  --
  Computers are useless. They can only give you answers.
  -- Pablo Picasso
9. Re:Scapegoat? Maybe, but he's still a moron. by MrNaz · 2007-07-27 02:26 · Score: 3, Insightful
  
  My initial tinfoil hat response is this:
  Someone on the outside was paying the $125 consultant for the data, so the consultant set up that little scenario so his buddies on the outside could get their hands on the data, making what was an espionage job look like a little bit of regular garden variety bureaucratic incompetence.
  
  --
  I hate printers.
10. Re:Scapegoat? Maybe, but he's still a moron. by dougmc · 2007-07-27 02:32 · Score: 2, Informative
  
  IMO there's nothing wrong with sending tapes home with people. Agreed -- it's the poor man version of offsite backups, though if they have sensitive information they should be encrypted at the very least. Still, while it probably makes sense for a five man office, it's probably not the best way of doing things for a big operation.
  The biggest problem with moving tapes around is that you have to make sure they're not moved in a car with a great big stereo. Subwoofers can play havoc on magnetic media. Actually, the strongest magnet you have in your house probably isn't strong enough to do anything to modern data tapes. It takes a strong honking magnet to affect modern data tape media in the slightest. You could wrap your DLT/LTO/whatever tape up with a big woofer for a month and it would still be readable -- wouldn't be affected at all, actually. There's a minimum magnetic strength required to change things on the tape, and if you can't reach that, it doesn't matter how long your magnet is nearby.
  
  The heat is probably a bigger danger.
  As for the big woofers, they might attract thieves and cause problems that way :)
11. Re:Scapegoat? Maybe, but he's still a moron. by lawpoop · 2007-07-27 02:36 · Score: 2, Funny
  
  ... let's throw a little conspiracy angle in. OK! Wayne Madsen has a conspiracy theory that all of the data thefts are a black op to populate the Total Information Awareness database, which is itself now a black op.
  
  He maintains a chart of data thefts that shows millions of records from both public and private sources, but the chart is now on the subscription portion of the site.
  
  --
  Computers are useless. They can only give you answers.
  -- Pablo Picasso
12. Re:Scapegoat? Maybe, but he's still a moron. by TapeCutter · 2007-07-27 02:42 · Score: 2, Insightful
  
  "The problem is, whether you are a $125 per hour consultant or $25 per hour consultant, the company that hired you isn't going to listen to you."
  
  I don't doubt that happens but in my own experience I have rarely found it to be the case. Sure they don't always agree with me, but they do listen.
  
  "Consulting is no fun, except the paychecks tend to be pretty good."
  
  If your not "having fun" then get the fuck out of the kitchen.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
13. Re:Scapegoat? Maybe, but he's still a moron. by alflauren · 2007-07-27 02:46 · Score: 2, Informative
  
  Absolutely right on the price. $125 an hour is about the rate that I would charge if I were a college graduate trying to start my own consulting firm. You're not going to get anyone decent for under $300-400 and hour these days, and you'll need to spend more than that to get someone good.
14. Re:Scapegoat? Maybe, but he's still a moron. by Ravenscall · 2007-07-27 02:48 · Score: 4, Insightful
  
  Hi, Ohioan here. While We have a Democrat Governor now, and this happened on his watch, these are policies that were implemented during the Taft Administration, which is widely viewed as one of the most corrupt and incompetent administrations in Ohio history.
  
  This has absolutely nothing to do with the Bush administration however, the blame lies squarely on the state and nobody else.
  
  --
  You say you want a revolution....
15. Re:Scapegoat? Maybe, but he's still a moron. by Anonymous Coward · 2007-07-27 02:49 · Score: 5, Funny
  
  Errrm... He was studying "computers" at DeVry. That is NOT "Computer Science". Let me illustrate the difference:
  
  Computer Science:
  
  "So, as you can see, the Halting Problem cannot be solved using Turing Machines; Alan Turing proved this in a paper in..."
  
  DeVry:
  
  "Ok, class, now push the glowy button and let it boot up... Oooh! Shiny! Isn't that SHINY?"
  
  NOT THE SAME. :)
16. Re:Scapegoat? Maybe, but he's still a moron. by dthable · 2007-07-27 02:51 · Score: 2, Insightful
  
  Crime is a strange thing.
  
  Often a criminal will set his target - "I'm going to get that stereo" or "This idiot leaves computer like stuff in the car. Maybe I'll find a laptop". Once the window is broken, you grab anything that isn't bolted to the car frame and run like hell. It could have been some backup tapes this time or it could have been a case of blank CD-Rs. Don't matter once the window is broken.
  
  After you get away, then you sort out the goods. Again, most guys don't know what they have but there are plenty of people on the streets, a whole network in fact, that can appraise the loot. One of those guys might have an IT background and know what those tapes are.
  
  Being a criminal isn't all that hard. It just comes with a big risk and limited payoff.
17. Re:Scapegoat? Maybe, but he's still a moron. by djasbestos · 2007-07-27 02:53 · Score: 2, Insightful
  
  You know, that actually does stand up to my "Law": Any conspiracy theory that does not allow for the government to be completely incompetent cannot be true.
18. Re:Scapegoat? Maybe, but he's still a moron. by denebian+devil · 2007-07-27 02:57 · Score: 2, Interesting
  
  Part of me always thinks some of these stories are really fishy... I currently work for a small business where this "take the backup tapes home with you for the night" is exactly their "disaster plan." I'm not saying it's a good plan. But it may be more common than you think.
  People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. The article did say he'd been doing the same thing for 3 months before the theft occurred. It's not like that was the one and only night he took the tapes home in that manner.
19. Re:Scapegoat? Maybe, but he's still a moron. by TapeCutter · 2007-07-27 02:59 · Score: 3, Insightful
  
  I've been in the trade for ~20yrs total and (for now) being on the payroll suits me. I find a similar attitude works just as well for full-timers as it does for consultants. A PHB once offered me a veiled threat in a meeting by saying "principles are expensive", I replied with a simle "That's why your paying me the big bucks!", he cracked up laughing and dropped the issue.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
20. Re:Scapegoat? Maybe, but he's still a moron. by Ngarrang · 2007-07-27 02:59 · Score: 3, Insightful
  
  Really....wouldn't an intern who is 22 years old and possibly an CS major know well enough to not leave data tapes in his car overnight? No. Because people in their natural state are stupid. These are the same people who open e-mails from people they don't know and open attachments because it is promised to be a 'kewl screensaver' or something else inane.
  
  --
  Bearded Dragon
21. Re:Scapegoat? Maybe, but he's still a moron. by denebian+devil · 2007-07-27 03:00 · Score: 5, Insightful
  
  He's 22! If someone handed me a stack of backup tapes to take home when I was 16 I might have done it, but not at 22! Anything you take home from work is a risk, you should know that by that point. But if you were an intern and you were told to do something, would you just say no? Perhaps they would laud you for your insight an initiative, or perhaps they'd just fire you and get a more compliant intern. Not everyone wants to take that risk, especially someone who is in their first or one of their first jobs.
22. Re:Scapegoat? Maybe, but he's still a moron. by Lumpy · 2007-07-27 03:01 · Score: 2, Insightful
  
  All it takes to be a consultant is to print it on your business-card and be able to bullshit your way into a paying gig.
  
  Just because someone is a "consultant" does not mean they even know what they are doing.
  
  --
  Do not look at laser with remaining good eye.
23. Re:Scapegoat? Maybe, but he's still a moron. by Dragonslicer · 2007-07-27 03:20 · Score: 2, Funny
  
  ...these are policies that were implemented during the Taft Administration Wow, Ohio's backup plan is a hundred years old?
  
  Sorry, I couldn't resist.
24. Re:Scapegoat? Maybe, but he's still a moron. by Dephex+Twin · 2007-07-27 03:40 · Score: 3, Interesting
  
  I took on an internship at about that age at one of the world's largest packaged foods companies, where I thought I would be maintaining some data on spreadsheets. That turned out to be true, but more specifically, it was vital contact info, security measures, and dozens of other related bits of info in order to comply with a post-9/11 bioterrorism regulations. I was to call these hundreds of different processing plants and make sure the info was less than three months old. I would be the one and only person in charge of this information for the entire company.
  
  When I inherited the info, I saw that it was already quite behind and out-of-date (and I also noticed that there was an error in the 30+ part questionnaire being used where the numbers were off, so all the data on the spreadsheet was potentially wrong). I envisioned headlines such as this, only with some sort of food contamination disaster or plant explosion, and my photo with the caption "Didn't maintain bioterrorism database".
  
  I got the hell out of there immediately. In my opinion, the fact that this was such a small-time job with low pay, and the fact that I was only 22 with no family, made it infinitely easier for me to say "no way, sorry, this is ridiculous" and just be done with it. If the guy had a family of five and had worked at the company for years and suddenly had to risk it all by taking these tapes, then I could understand why he would be conflicted. This guy here had everything to lose and very little to gain by taking those tapes.
  
  --
  
  If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
25. Re:Scapegoat? Maybe, but he's still a moron. by Nevyn · 2007-07-27 04:09 · Score: 2, Informative
  
  IMO there's nothing wrong with sending tapes home with people.
  
  Sure, I've worked at places that do that ... but sending them home with the intern? Whenever I've seen it done it's been with trusted full time employees, with a paper trail of exact what went to their home.
  
  --
  ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
26. Re:Scapegoat? Maybe, but he's still a moron. by mlts · 2007-07-27 04:40 · Score: 2, Informative
  
  If there is a solid encryption system [1] in place, there isn't anything wrong with this at all, (although a service like Iron Mountain would be the best.)
  
  Encrypted backups are not hard to do, although its not in that many backup programs on the Windows side (unless you go to Networker or Tivoli Storage Manager) support solid encryption. The main one that does support encryption is EMC/Insignia's Retrospect on the Windows side, and Arkeia on the UNIX side.
  
  [1]: A solid encryption system is not just clicking a checkbox that says "backup will be encrypted", and typing in a password on two blank fields, but knowing who has access to what passwords, and preferably having it that the guy who has the encryption keys or passwords is not the same guy in physical custody of the tapes 24/7, assuming a large company.
27. Re:Scapegoat? Maybe, but he's still a moron. by Doctor+Faustus · 2007-07-27 04:59 · Score: 2, Interesting
  
  Back when I was a computer engineering student at Western Michigan University, my assembler class (x86, taught by the EE department -- I also has SPARC assembler taught by the CS department) used a textbook published by DeVry. I was a little taken aback when I noticed that.
28. Re:Scapegoat? Maybe, but he's still a moron. by Nikker · 2007-07-27 05:16 · Score: 2, Interesting
  
  These tapes were not stolen by a 'common' theif like a crackhead. What makes what you have appealing to someone looking for money? The fact that you have something they know they can sell quickly, which is usually something like electronics, laptops or tape decks. The whole reason for that is they want to be able to sell it to the very next person they see, they don't want to explain what it is cause they don't know. Who would really want to buy data tapes out the back of a van or on the street anyway? It doesn't make sence that the consultant wanted tapes that were reasonably out of harms way taken out of the building just to have them returned the next day? That doesn't make and sence, but it does set up an excellent pigeon for someone who does know what is on those tapes.
  
  As most will know on this site anyone making anywhere close to $10/hr likely is not trusted enough to go for coffee and get the order right let alone carry data for 800k clients for no apparent reason.
  
  Since when does any company tell you to take sensitive data to your own home just to bring it back later?
  
  --
  A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
29. Re:Scapegoat? Maybe, but he's still a moron. by Mister+Whirly · 2007-07-27 05:37 · Score: 2, Insightful
  
  In ALL cases, someone has something to gain. It's not ALWAYS a conspiracy. This was just an example of terrible policy, not a malicious plot. The "gain" in this case could have been achieved through much simpler means. Why go through an elaborate ruse involving multiple people that could blow the whole thing by talking about it? Especially when there is many other different ways the same thing could be accomplished. Let me ask you this - if you were a consultant making $125 an hour, would you risk your job, and freedom, for a few thousand dollars?? Your scenario just doesn't make much sense if you analyze it. If you reject Hanlon's Razor, how about Occam's Razor - "Entities should not be multiplied beyond necessity" or paraphrased - "All things being equal, the simplest solution tends to be the best one."
  
  --
  "But this one goes to 11!"
30. Re:Scapegoat? Maybe, but he's still a moron. by chimpo13 · 2007-07-27 07:35 · Score: 2, Funny
  
  Frankie say: Relax.
  
  Screw encryption. I just back-up everything on cassette tapes. Just the way my TRS-80 like it! Go Tandy!
  
  My only encryption is labeling the tapes Wham! and Frankie Goes to Hollywood.
  
  --
  riding round the world on an old motorcycle
31. Re:Scapegoat? Maybe, but he's still a moron. by tsm_sf · 2007-07-27 11:15 · Score: 2, Funny
  
  Ahh, the voice of inexperience. Guess what? The boss knew it was a bad idea when he passed it down. Why would he do such a thing? You have a project that needs to be done securely and quickly. You will be rewarded for quickness but not security. You will be most definitely punished for slowness, but chances are slim that anyone would find out about a lack of security. Solution? Pass the job downstream and tell the peon to hurry it up, but be sure you mention security in an offhand manner at some point.
  
  This is how all governments and most large corps work. Your "well, I'd do it differently" approach is endearing in it's innocence and naivete.
  
  --
  Literalism isn't a form of humor, it's you being irritating.
obviously he is a idiot. by falcon5768 · 2007-07-27 01:46 · Score: 3, Interesting

I dont leave my freaking DS in the car let alone sensitive data like that. But there is plenty of blame to go around on this... in particular the fact that other than to prevent loss in the case of a fire, I cant see one legitimate reason for the tapes even leaving the site.
Hell even in that case, why didnt they have a remote backup to prevent loss through a fire or flood.
Yep plenty of blame to go around.

--
"Slashdot, where telling the truth is overrated but lying is insightful."
I think the bigger problem by afidel · 2007-07-27 01:47 · Score: 3, Insightful

Is that 7.3% of the population is working directly for the state government! I wonder what total percentage of the population works directly and indirectly (such as the contractor) for the government at all levels?

--
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
1. Re:I think the bigger problem by CaffeineAddict2001 · 2007-07-27 01:55 · Score: 5, Funny
  
  If you pay taxes you work for the government =)
2. Re:I think the bigger problem by CheeseTroll · 2007-07-27 02:02 · Score: 2, Insightful
  
  If you pay the gov't, isn't gov't working for you?
  
  --
  A post a day keeps productivity at bay.
3. Re:I think the bigger problem by sholden · 2007-07-27 02:02 · Score: 2
  
  http://www.washingtonpost.com/wp-dyn/content/artic le/2006/10/05/AR2006100501782.html - 14.6 million federal
  http://www.heartland.org/Article.cfm?artId=18746 - 15.8 million state and local
  
  So over 10%. Which probably doesn't include state and local contractors. Or the industrial part of the "military-industrial complex"...
4. Re:I think the bigger problem by CaffeineAddict2001 · 2007-07-27 02:19 · Score: 2, Insightful
  
  It depends if you believe the government is working towards your interests or not. Since paying taxes is not optional, I'm sure most people would agree that they do not.
5. Re:I think the bigger problem by mollymoo · 2007-07-27 03:04 · Score: 2, Insightful
  
  I find it amazing that the prevalent attitude in the USA seems to be, simultaneously, that theirs is the greatest democracy in the world and that their government(s) work(s) in opposition to the people.
  
  --
  Chernobyl 'not a wildlife haven' - BBC News
prime suspect by j00r0m4nc3r · 2007-07-27 01:47 · Score: 4, Funny

"Three months into his $10.50-an-hour internship, he left the tapes in his car overnight -- unencrypted -- and they were stolen, and his 1990 Yugo mysteriously replaced with a new Ferrari."
Uh-oh. by Rob+T+Firefly · 2007-07-27 01:48 · Score: 5, Funny

After all these years, they've finally found a security hole in the Sneakernet.

--
Slashdot Burying Stories About Slashdot Media Owned
Small mistake in title... by cbrichar · 2007-07-27 01:49 · Score: 5, Funny

Intern Loses 800,000 Social Security Numbers, 1 Internship

Fixed it for you.
7.3%- Sounds about right by DrLudicrous · 2007-07-27 01:50 · Score: 2, Insightful

7.3% sounds right. I know of several people affected by this- but rest assured, the great state of Ohio is promising one full year of ID theft protection. Bet that makes those folks sleep better at night. One friend that got a letter informing him of his SSN being stolen was told why- he was one of many Ohio taxpayers who has not yet cashed their state tax refund, and as a result, was kept in a database on the stolen tapes. As the Prentenders said, "Way to go Ohio!"
1. Re:7.3%- Sounds about right by courtarro · 2007-07-27 02:44 · Score: 2, Funny
  
  Slashdot headline, July 27, 2008: "800,000 identities stolen in Ohio"
everyone BUT the intern should be fired by uncleFester · 2007-07-27 01:50 · Score: 4, Insightful

heh.. getting fired for doing what your boss told you to do.. it's the new trend in corporate america!

i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.

i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..

-r (has NO problem believing the intern's story 100%)

--
-'fester
1. Re:everyone BUT the intern should be fired by Minwee · 2007-07-27 02:22 · Score: 2, Funny
  
  No, I think that he very definitely was there the day that lesson was taught. It was the morning after he took a set of backup tapes home.
Makes sense not to report for a bit by Dan+East · 2007-07-27 01:54 · Score: 4, Insightful

It makes sense not to report the loss for a while. 5 cars were broken into that night, and the thieves certainly grabbed anything that looked half valuable. They most likely had no idea that the tapes contained potentially valuable information, and almost without any doubt had no means to actually read the data.

If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.

Dan East

--
Better known as 318230.
1. Re:Makes sense not to report for a bit by hellfire · 2007-07-27 02:16 · Score: 2, Insightful
  
  That makes no sense. You report the loss to the police, and then you ask/suggest them to keep it under wraps because of the sensitive nature of the data in the hopes the criminals don't know what they have. You are also doing a disservice to the people's information that was stolen, because what if the criminals DID know what they had and DID have a way to read the data?
  
  That's like not reporting your car stolen and just hoping it will turn up somewhere unscathed because it was a 1989 honda. Sure, it's not worth much to anyone but you, but not letting the police do their job is plain stupid.
  
  --
  "All great wisdom is contained in .signature files"
It gets better...er, funnier at least by gskouby · 2007-07-27 01:56 · Score: 5, Informative

The State of Ohio is offering one year of identity theft protection to those affected. To lookup your access code for this one free year of ID theft prevention please visit this page:

http://ohio.gov/idprotect/lookup/lookup.aspx/

On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.
1. Re:It gets better...er, funnier at least by TheLink · 2007-07-27 02:24 · Score: 5, Interesting
  
  Heh, I tried smith, 1234 and got:
  Your assigned activation PIN (personal identity number) is 7655616
  
  smith, 1235 = nada
  smith, 1236 = 8966764
  
  Then, I tried:
  %, 1236 = 3738028
  
  smit%, 1234 = 7655616
  smit, 1234 = 7655616
  smoth, 1234 = nada
  sm_th, 1234 = 7655616 :)
  
  Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.
  
  The management is to be blamed for this. That's pretty much a stupid procedure.
  
  The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.
  --
  
  Too many replies beneath your current threshold
2. Re:It gets better...er, funnier at least by iknowcss · 2007-07-27 04:01 · Score: 2, Interesting
  
  Interesting to note on the page:
  
  A letter is also being mailed to the most recent address we have on file. You should receive this communication in the mail very shortly.
  Looks like some Smiths are going to find out their SSN has been stolen whether or not they know how to use a computer :)
  
  --
  Life is rarely fair. Cherish the moments when there is a right answer.
3. Re:It gets better...er, funnier at least by N6546R · 2007-07-27 05:47 · Score: 2, Funny
  
  Tonight at 11: Smith family mysteriously receives 4,627 pieces of mail in one day. Sources cite the 'hardcopy Slashdot effect'.
Re:Bring these back tomorrow? by coren2000 · 2007-07-27 01:57 · Score: 2, Informative

I assume they remove backups from the site nightly, in case of fire.
Are you really trying to blame Bush? by benhocking · 2007-07-27 01:58 · Score: 4, Funny

First, someone decided to blame the Scaled Composites explosion on Bush and now this? I don't like Bush, either, but there are (still) limits to his power, you know.

--
Ben Hocking
Need a professional organizer?
1. Re:Are you really trying to blame Bush? by Billosaur · 2007-07-27 02:32 · Score: 2, Insightful
  
  Which leads to the obligatory:
  
  You don't know the power of the Dark Side
  
  Seriously, every President of the United States goes through this at one point or another. You're the most visible representation of authority in the United States, so when something bad happens, people blame you. Doesn't matter that you had no way of doing it, no control over the process that caused it, or didn't care about it. I don't think W is going to rank up there with the best President's when it's all said and done, and he's certainly not on my Christmas card list, but the rampant need to blame everything on him is ludicrous. Besides, we Americans only have ourselves to blame -- we elected him! Well... I didn't... I voted for Optimus Prime...
  
  --
  GetOuttaMySpace - The Anti-Social Network
Re:It Figures... by AutopsyReport · 2007-07-27 01:59 · Score: 5, Insightful

Yeah, it's easier for any entity to blame its peons for misjudgment rather than highlight the lack of process that would have prevented this type of situation in the first place. The higher-ups had the noose on this kid before anyone else bothered to realize the intern is not to blame. And now we've got an article on Slashdot about how the "intern" lost the SSN's. But did he really lose them?

To all the comments that are calling the intern an idiot for leaving the tapes in his car, I ask you this: where should he have stored them? In his apartment which can be just as easily broken into? Was he supposed to rent out a protected storage unit at his own expense? The correct answer is that he should have never been responsible for storing them. Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?

--
For he today that sheds his blood with me shall be my brother.
Simple Solution To All This by deadline · 2007-07-27 02:04 · Score: 3, Insightful

There is a simple solution to this kind of thing. You take the SSN, bank account and CC numbers of the person in charge (the General, Congressman, CEO etc.) and you put them in every container, laptop, tape, HDD, USB stick, etc. that has private information on it.
Problem solved.

--
HPC for Primates. Read Cluster Monkey
Negligence by HamsterRabies · 2007-07-27 02:07 · Score: 2, Interesting

The 22 yr olds' response is unacceptable given the amount of press and exposure identity theft is given.

The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.

Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact would be his willingness to do something he felt was a risk, such as taking these tapes home.
The third being his lack of documented objection to the process and procedure which is obviously faulted.
1. Re:Negligence by TechnicolourSquirrel · 2007-07-27 03:10 · Score: 2, Insightful
  
  This guy is an intern. Know what that is? Hint: for an intern, there is no 'not accepting the assignment'. Might as well say nothing and just stay home, instead, because that's about to be your 'new assignment', anyway...
  
  Intern: "I know that I have no experience and no battle-tested skills, but I'm afraid I must disagree with the way you're running this company. My recommendation is to--"
  Boss: "Excuse me, but do you work here?"
  Intern: "Uh, yeah. Summer program."
  Boss: "Well, this year, Fall's comin' early!"
  
  It is to laugh. But seriously, in the service of battling this apparently massive epidemic of worldwide intern negligence, I have done a bit of research into all of the "documented objections to process and procedure" which have ever been initiated by interns, throughout all of time and space. Here's the complete list...
  
  Didja miss it? Sad state of affairs, wouldn't you say? Which begs the question: WHY are America's interns so incompetent? We need to train our interns! In fact, somebody should start some sort of training program with this very thing as its goal. Why even stop there? Why not a training program at every company? America needs to get its act together, because education is everything.
And I think the bigger problem by DragonWriter · 2007-07-27 02:08 · Score: 4, Informative

Is your reading comprehension:

There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.
A few points on his statement by galego · 2007-07-27 02:09 · Score: 2, Insightful

From his statement: As an intern, I do not create policy, I do not interpret policy, and I do not question policy. I do what I am instructed to do.

1) He also obviously did not take time to investigate or read the policy. Granted .. this can be also blamed on supervisor's. But there is no 'patch' for ignorance, correct? Sometimes you only get one shot. 2) If he had any idea what was on the tape, he should not have left it in his car. I don't know if it was in the open or not, but 'intern' or not, he should be aware of the sensitivities of that sort of data. He commented on the policy (which he was not aware of until after the fact ... we've covered that) and said it was "unreasonable to assume that the person would not stop somewhere on their way home". (He is questioning the policy, but we'll cover that next.) Again ... if I knew what was on that tape (granted, I am not an innocent, young 'intern'), I wouldn't take it. If forced to, I wouldn't let it out of my sight til in my home. 3) He *should* question policy if he wants to be valued .. hopefully he learns from that. That's something I look for in a valuable employee. Questioning does not necessarily mean 'defy' (which I think is what he is trying to say). If not questioning the policy, he should be asking "This stuff is encrypted, right?" They are kind of going after the young intern as someone to pin this on, I'm sure. However, I don't think he can/should hide behind his 'intern' label and fire his pop-gun back saying none of it is his fault. He should admit his part in the mistakes and what he would not repeat ... then point to the broken policy / security model. Also hope they have fraud alerts set up on those 770,000 people and are ensuring they have state-provided equifax accounts! ;)

--
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Yes, I am by Anonymous Coward · 2007-07-27 02:10 · Score: 5, Funny

I stubbed my toe this morning on my coffee table. Explain to me how that is NOT Bush's fault. You got no answer for that one, huh?
Also, scam sites are going to be all over this by sgant · 2007-07-27 02:12 · Score: 2, Insightful

I can see it now, spam email going out saying "due to the recent theft of Social Security numbers, please check here to see if your number was stolen. Just input your number here, and we'll tell you if yours was part of the theft...have a nice day..."

--

"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
And this is why by Anarke_Incarnate · 2007-07-27 02:20 · Score: 3, Insightful

SSNs should NEVER be used as primary identification numbers. They are legally only allowed to be used for distribution of benefits and collection of "tax" towards paying out those benefits.

They are essentially a pyramid scheme to keep old people happy. You have to put them on everything, because they have become a national ID number. People are to complacent with that.
$125 an hour? by n1ckml007 · 2007-07-27 02:23 · Score: 4, Funny

I'm obviously in the wrong career path; I could be losing SSN's for $125 an hour! Maybe next year I can move on to some $200 an hour medical record losing gig.
They're all stupid by Avatar8 · 2007-07-27 02:56 · Score: 3, Interesting

Not just the intern to blame here. There is obvious failure, lack of responsibility and plain stupidity amongst all those involved.

Consultants reporting to consultants? Great plan if you don't care to remain in control of your company/organization.
Making a single, bottom level, low income person responsible for your most valuable asset, data? Obviously no concept of sensitive information.
No encryption? Dumb, dumber and dumbest omission of data management.
My recommendations:
1) Keep the intern. He now is knowledgeable and will make better decisions on similar matters; however, let him do the job appropriate to his level. Being fully responsible for off site data should not be part of his job.
2) Update the policy in accordance with federal, SOX, ISO 17799 and whatever other standards apply to include data encryption and a *real* off site method.
3) Get rid of one of the consultants. All consultants should be reporting directly to an employee who has interest in the company/organization.
4) Use the money saved by removing the excess consultant to pay a professional company to pickup and store the tapes off site, in a secure, disaster recovery designed site. Iron Mountain does a pretty good job. (or use their online data transfer method) If nothing else, purchase a small, fireproof box with a lock and make the manager carry it home each night.
These are really basic IT management decisions. I feel sorry for the people relying upon such an organization with an obvious lack of skill or concern.
Re:Bring these back tomorrow? by LurkerXXX · 2007-07-27 03:05 · Score: 2, Informative

It's called offsite storage. If you aren't doing it, look into it or you will regret not doing so if your building ever burns down, floods, etc.

They just did it in a horribly horribly bad way. There are lots of other state buildings around they could transfer things to regularly. Having anyone, let alone an intern, take them to their home instead is simply stupid. As is leaving company property unattended in your car. Having them do that with unencrypted data was just batshit insane.
Hippy by benhocking · 2007-07-27 03:18 · Score: 4, Funny

I voted for Optimus Prime
Damn hippy. Megatron was obviously the candidate for law and order.

--
Ben Hocking
Need a professional organizer?
Well, I could by benhocking · 2007-07-27 03:31 · Score: 4, Funny

Just let me pull out my dictionary and look up "money laundering".

--
Ben Hocking
Need a professional organizer?
ObThisWeekend by LittleGuy · 2007-07-27 03:31 · Score: 3, Funny

Wizard.

--
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Re:Tape = encryption by LongestPrefix · 2007-07-27 04:00 · Score: 2, Interesting

Sure, you can buy plenty of tape drives, but are you going to get them to work? To read the right block size? To decode the file format used by the backup tool? To possibly even deal with EBCDIC? This archive was probably split across several tapes. I've worked with several tape systems, mostly SCSI on Linux. It's remarkably hard to get things to work consistently, even when using the simplest tools, or when using some of the nicest. By "work consistently", I mean: consistently restore files when needed. ("Nobody cares about backup. Everybody cares about restore." -- Benjy Feen)
Why is this marked as 'Troll' by shis-ka-bob · 2007-07-27 04:36 · Score: 2, Insightful

I think the parent comment makes sense and calling this a 'troll' us unfair. The consultant was not trying to stop the thieves from knowing what they had, he was covering his ass and hoping that this could just go away. If the correct tactic is to keep the information out of the press, then the police are the ones that should make the call.
Yesterday, I was the first on the scene to an accident. A kid (temporarily, I believe) lost vision in one eye when the air bag smacked him in the face. I think it was my duty to report everything that I did (check for injuries, make sure he was coherent, move some debris out of the road) to the police officers & ambulance crew. The police can decide was matters, they do this every day. I am a novice & my opinions as to what matters is inferior to their experience.

--
Think global, act loco
Anna Kournikova nude! by Archangel+Michael · 2007-07-27 04:57 · Score: 2, Funny

Made you look.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Informative by benhocking · 2007-07-27 06:09 · Score: 2, Funny

A crackhead might not have great long-term strategizing skills, but they know how to make a quick buck. Odd computer equipment will get you blank looks when you bring it into the computer shop. Nobody needs it, and anybody who would wouldn't go to the pawnshop looking for it. The pawnshop takes stuff like laptops ( not worthless old pentium II desktops ), car steroes, watches, gold, jewelry -- stuff that almost anyone would buy, and has high salability. Backup tapes or disks are not really salable items.
You sound very ... knowledgeable about all of this. Let me guess, a "friend" told you this. Were you, I mean your "friend", disappointed they wouldn't take backup tapes? ;)

--
Ben Hocking
Need a professional organizer?