Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intern Loses 800,000 Social Security Numbers

Posted by Zonk on from the bad-day-bad-day dept.

destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."

24 of 492 comments (clear)

  1. Scapegoat? Maybe, but he's still a moron. by SatanicPuppy · · Score: 5, Insightful

    "So what did you learn interning this summer?"
    "DIAF."

    I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.

    I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!

    Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?

    Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    1. Re:Scapegoat? Maybe, but he's still a moron. by baudilus · · Score: 5, Insightful

      It doesn't necessarily mean that the criminal element is more tech savvy, but in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable. Heck, even a crackhead would recognize that and try to sell them for a few bucks, not knowing what he really had. The real travesty here is the fact that the tapes were unencrypted. The intern himself could've taken the tapes home, read and copied all the data, returned the tapes, and no one would have known. If you don't want to pay for off-site storage, at least encrypt your data!

    2. Re:Scapegoat? Maybe, but he's still a moron. by TapeCutter · · Score: 5, Insightful

      "Sounds like the whole organization was rotten though, so it's hard to blame them."

      As someone who spent a decade or so as a "fricking consultant" I don't find it hard to blame him. If Mr. $125/hr was a half competent consultant he should at the very least have email evidence to show that he tried to change this retarded procedure but was vetoed by his superior. If he has such evidence then rinse & repeat up the PHB ladder.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    3. Re:Scapegoat? Maybe, but he's still a moron. by Alizarin+Erythrosin · · Score: 4, Interesting

      Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?

      Part of me always thinks some of these stories are really fishy...

      I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"

      People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.
      --
      There are only 10 kinds of people in this world... those who understand binary and those who don't
    4. Re:Scapegoat? Maybe, but he's still a moron. by Oligonicella · · Score: 4, Insightful

      Very much in agreement with you.

      As a 30+ year consultant, I've banged my head numerous times against stupid 'security'. Many times, I simply refused to follow their procedures. Let some company goon do the stupid thing. I'm paid to be an analyst and if I spot a problem and report it, I'm certainly not going to follow procedures I myself have labeled as bad.

      The consultant is the primary blame and the intern a very far second. Just because a company has bad procedures doesn't mean you follow them.

    5. Re:Scapegoat? Maybe, but he's still a moron. by SatanicPuppy · · Score: 4, Interesting

      Yea, that's kinda what I was thinking wrt the "Tech savviness of the modern criminal."

      You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.

      I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    6. Re:Scapegoat? Maybe, but he's still a moron. by Ravenscall · · Score: 4, Insightful

      Hi, Ohioan here. While We have a Democrat Governor now, and this happened on his watch, these are policies that were implemented during the Taft Administration, which is widely viewed as one of the most corrupt and incompetent administrations in Ohio history.

      This has absolutely nothing to do with the Bush administration however, the blame lies squarely on the state and nobody else.

      --
      You say you want a revolution....
    7. Re:Scapegoat? Maybe, but he's still a moron. by Anonymous Coward · · Score: 5, Funny

      Errrm... He was studying "computers" at DeVry. That is NOT "Computer Science". Let me illustrate the difference:

      Computer Science:

      "So, as you can see, the Halting Problem cannot be solved using Turing Machines; Alan Turing proved this in a paper in..."

      DeVry:

      "Ok, class, now push the glowy button and let it boot up... Oooh! Shiny! Isn't that SHINY?"

      NOT THE SAME. :)

    8. Re:Scapegoat? Maybe, but he's still a moron. by denebian+devil · · Score: 5, Insightful

      He's 22! If someone handed me a stack of backup tapes to take home when I was 16 I might have done it, but not at 22! Anything you take home from work is a risk, you should know that by that point. But if you were an intern and you were told to do something, would you just say no? Perhaps they would laud you for your insight an initiative, or perhaps they'd just fire you and get a more compliant intern. Not everyone wants to take that risk, especially someone who is in their first or one of their first jobs.
  2. prime suspect by j00r0m4nc3r · · Score: 4, Funny

    "Three months into his $10.50-an-hour internship, he left the tapes in his car overnight -- unencrypted -- and they were stolen, and his 1990 Yugo mysteriously replaced with a new Ferrari."

  3. Uh-oh. by Rob+T+Firefly · · Score: 5, Funny

    After all these years, they've finally found a security hole in the Sneakernet.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  4. Small mistake in title... by cbrichar · · Score: 5, Funny

    Intern Loses 800,000 Social Security Numbers, 1 Internship

    Fixed it for you.

  5. everyone BUT the intern should be fired by uncleFester · · Score: 4, Insightful

    heh.. getting fired for doing what your boss told you to do.. it's the new trend in corporate america!

    i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.

    i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..

    -r (has NO problem believing the intern's story 100%)

    --
    -'fester
  6. Makes sense not to report for a bit by Dan+East · · Score: 4, Insightful

    It makes sense not to report the loss for a while. 5 cars were broken into that night, and the thieves certainly grabbed anything that looked half valuable. They most likely had no idea that the tapes contained potentially valuable information, and almost without any doubt had no means to actually read the data.

    If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.

    Dan East

    --
    Better known as 318230.
  7. Re:I think the bigger problem by CaffeineAddict2001 · · Score: 5, Funny

    If you pay taxes you work for the government =)

  8. It gets better...er, funnier at least by gskouby · · Score: 5, Informative

    The State of Ohio is offering one year of identity theft protection to those affected. To lookup your access code for this one free year of ID theft prevention please visit this page:

    http://ohio.gov/idprotect/lookup/lookup.aspx/

    On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.

    1. Re:It gets better...er, funnier at least by TheLink · · Score: 5, Interesting

      Heh, I tried smith, 1234 and got:
      Your assigned activation PIN (personal identity number) is 7655616

      smith, 1235 = nada
      smith, 1236 = 8966764

      Then, I tried:
      %, 1236 = 3738028

      smit%, 1234 = 7655616
      smit, 1234 = 7655616
      smoth, 1234 = nada
      sm_th, 1234 = 7655616 :)

      Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.

      The management is to be blamed for this. That's pretty much a stupid procedure.

      The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.

      --
  9. Are you really trying to blame Bush? by benhocking · · Score: 4, Funny

    First, someone decided to blame the Scaled Composites explosion on Bush and now this? I don't like Bush, either, but there are (still) limits to his power, you know.

    --
    Ben Hocking
    Need a professional organizer?
  10. Re:It Figures... by AutopsyReport · · Score: 5, Insightful

    Yeah, it's easier for any entity to blame its peons for misjudgment rather than highlight the lack of process that would have prevented this type of situation in the first place. The higher-ups had the noose on this kid before anyone else bothered to realize the intern is not to blame. And now we've got an article on Slashdot about how the "intern" lost the SSN's. But did he really lose them?

    To all the comments that are calling the intern an idiot for leaving the tapes in his car, I ask you this: where should he have stored them? In his apartment which can be just as easily broken into? Was he supposed to rent out a protected storage unit at his own expense? The correct answer is that he should have never been responsible for storing them. Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?

    --

    For he today that sheds his blood with me shall be my brother.

  11. And I think the bigger problem by DragonWriter · · Score: 4, Informative

    Is your reading comprehension:

    There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.

  12. Yes, I am by Anonymous Coward · · Score: 5, Funny

    I stubbed my toe this morning on my coffee table. Explain to me how that is NOT Bush's fault. You got no answer for that one, huh?

  13. $125 an hour? by n1ckml007 · · Score: 4, Funny

    I'm obviously in the wrong career path; I could be losing SSN's for $125 an hour! Maybe next year I can move on to some $200 an hour medical record losing gig.

  14. Hippy by benhocking · · Score: 4, Funny

    I voted for Optimus Prime
    Damn hippy. Megatron was obviously the candidate for law and order.
    --
    Ben Hocking
    Need a professional organizer?
  15. Well, I could by benhocking · · Score: 4, Funny

    Just let me pull out my dictionary and look up "money laundering".

    --
    Ben Hocking
    Need a professional organizer?