Slashdot Mirror
IT Worker Fired After Massive Georgia Data Breach Speaks Out (ajc.com)
McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.
Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.
Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.
Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.
Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.
News at 11:00
for those unwilling to shuffle through two links and random popups, heres the situation:
Cooley doesnt seem to be an IT guy at all, just a liaison for an IT outsource firm that handles the data for Georgia. his department got a request from the revenue department for the data. Cooley then got approval from his departments lawyers and requested the new datafile with sensitive info. The vendor however didnt understand the request and put the sensitive data on a public network share. Cooley quickly removed it from the share, but --and this is key-- an entirely separate group of people copied the file, burned it to CD, and released it to a far broader audience. Cooley did his job, but is being blamed for something hes entirely not a part of. Namely, some other agencies cock-up.
instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.
Good people go to bed earlier.
Obviously didn't read the article or the article that the article talks about. If you had read it, you would know that the person fired had requested from the people who have access to the real data for a second file to be created which included the social security numbers, etc., to be combined with the data in the voter registry (after himself being requested to provide the data in that format to another group internally at the State, and after having received confirmation and approval from the lawyers and boss to provide the data in that format to that group).
The F-up was that the people he requested for the separate new format data misunderstood the request and instead of creating a new file with the new format, simply updated the existing voter registration data and left it in the normal location that voter registration data always existed and didn't notify the person who was fired that they had made the changes like that. It wasn't until the person who was fired asked the contractor for an update on the new configuration that he was informed that it was done the day of the request and that they simply updated the voter registration file with the data.
The only mistake that the person fired made was that he then simply yanked and sanitized the voter registration file to remove those fields (since it shouldn't be in the voter registration file) and ran a search to try and see if anyone had accessed and copied the file (which didn't turn up anything). So he figured everything was caught before any damage could have been done. However, what he didn't know was that someone else had accessed and copied the file, but copied it to a place they were not suppose to copy it to (which is why the search turned up that no one had accessed the file), and then didn't review the file (again, as per policy for all files being sent out) for anything that shouldn't be sent out, and made CDs/DVDs of the copied file and sent them out to the 12 organizations/groups/individuals that always receive the monthly voter registration data.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"