IT Worker Fired After Massive Georgia Data Breach Speaks Out

McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.

Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.

Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

Doesn't matter

He may not have had the access to browse through such data, but I bet he is the one who posted the data to the website. Personal info is commonly kept out of easy IT reach, though honestly most IT Directors would be able to easily circumvent such things since they are the ones that put the security restrictions in place.

Normally you'd have to go through some type of Human Resources person to get such data, but in any case the data did not post itself and the IT person was still in the best position to understand the error and strop it before it happened.

If your an IT guy and you do something that your expertise should prevent at this level, you still should get fired. That's why people hire IT techs. If an Office Manager asked me to do something I know is either wrong or risky, it's the IT departments job to say no with all it's force. Sure, it would be nice to have open remote desktops to all your computers so employees could work at home, and to a layman that could even seem like a reasonable idea, but to someone with IT knowledge it would be a move that would almost guarantee a high chance of data loss or sabotage.

When you hire a plumber, for instance, you're hiring an expert in their field. If the home owner tell you to do something against code, you say no. It's that simple. Knowing your reputation and employee info is at risk, you're supposed to head these kinds of things off, not blindly obey people without computer knowledge. It's the IT techs job to perform the due diligence of the position, that's ultimately why they get paid well, they are responsible for potentially millions of dollars in data. Boss come and go, data breaches are forever. In almost any field your expertise must come first, not your obedience.