IT Worker Fired After Massive Georgia Data Breach Speaks Out

McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.

Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.

Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

Users blaming IT

News at 11:00

that's why IT gets paid

[turkeydance]

to take the fall. it's not the tech, that's India's bailiwick.

Re: that's why IT gets paid

The employers?

saner summary.

[nimbius]

for those unwilling to shuffle through two links and random popups, heres the situation:

Cooley doesnt seem to be an IT guy at all, just a liaison for an IT outsource firm that handles the data for Georgia. his department got a request from the revenue department for the data. Cooley then got approval from his departments lawyers and requested the new datafile with sensitive info. The vendor however didnt understand the request and put the sensitive data on a public network share. Cooley quickly removed it from the share, but --and this is key-- an entirely separate group of people copied the file, burned it to CD, and released it to a far broader audience. Cooley did his job, but is being blamed for something hes entirely not a part of. Namely, some other agencies cock-up.

instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.

Re:saner summary.

[TWX]

instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.

More to the point, depending on how the public disclosure was handled and any slander on the part of government officials, he might be in a position to sue for retirement-related benefits. If he was close to retirement age anyway he might be able to leverage a lawsuit payment directly into his retirement-eligible wages which could take what might be a 60%-of-salary pension and get it closer to a 100% pension.

Re:saner summary.

[fred911]

"instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

  Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
him with or without cause. Without knowing if there was an employment contract it's just speculation.

Re:saner summary.

[s.petry]

"At will" does not mean what you are implying. Wrongful terminations are quite possible, though obviously difficult to prove without extreme circumstances. This guy has extreme circumstances, and a politician on record saying they fired the responsible employee. Libel and Slander are also possible given this situation, so as a hunch the State of GA will be handing this guy a big pile of hush money^W^W^W^Wcheck for damages.

Re:saner summary.

[Jack9]

At-will does not protect an organization from wrongful termination or libel or slander. He can probably end up in a mediation for damages.

Re:saner summary.

[clovis]

They were right to fire him, but not for what he did, but what he did not do.
The data was exposed for 10 days, and he fixed that the instant he discovered the exposure.

What he did not do was tell his boss about it.

  His boss was put into the position of walking into a meeting with his dick hanging out, and he could have known, but the one guy who did know " thought it was ok"

Of all the sins an employee can make, it is a thousand times worse if the boss finds out about a screwup in his department from guy at the top, or worse, the newspaper, or worse yet, the lawyers.

Re:saner summary.

The miscommunication still falls on the person directly managing the situation, even if they weren't qualified to understand the problem.

You don't need to be a carpenter to run a general contracting company and build homes, but if your build faulty homes and someone gets hurt it still lands on your head. You can try to blame a sub-contractor, but one of the main reasons people hire general contractors is to manage all the multiple elements of a complex build.

If Cooley did not fully understand what was going on or did no fully communicate his needs, that's his fault, especially as the person effectively in charge of the project. Of course Cooley's boss should still take the brunt of the blame because that's how you root out bad management.

The people who posted this info must have had access to it, any reason able amount of follow through should have alerted them that a large amount of sensitive data was being posted publicly. I've been in plenty of IT situation where I had to real in security because everyone else was oblivious, even though that was clearly not my job role. IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

Re:saner summary.

[Darinbob]

Wrongful termination almost never works these days. They can fire you for having the wrong shirt color and there's nothing you can do in most states. Even if there was a chance in Georgia, he'd still need absolute proof that this was the reason for his firing (ie, were the reasons for his termination put into writing). You can make inferences but that won't often work if you've got big lawyers versus small lawyers.

So really the best bet to get the job back or get compensation is to make it public, because elected officials may pay attention to that. Even if he doesn't get the job back he may be able to take down some officials with him.

Re:saner summary.

[stephanruby]

Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
him with or without cause. Without knowing if there was an employment contract it's just speculation.

At least three mistakes were made here. Thus far, only one mistake is being addressed, and that's the cover-up made by the employee.

The vendor needs to be taken to task. The vendor has security access to the data. Supposedly, the staff of the vendor should have been trained properly. Also, even if the public agency didn't disclose the breach. The vendor should have publicly disclosed the breach. It obviously didn't either.

And finally, what's up with Secretary Kemp? Why is he sending out political party affiliations to the Georgia Department of Revenue? He should have removed that field from the file. The Georgia Department of Revenue doesn't need to know that part. That part isn't relevant, or at least it shouldn't be.

Re:saner summary.

[l0n3s0m3phr34k]

Seeing that this is all over the news, and Georgia Secretary of State Brian Kemp has made multiple public statements about the firing, absolute proof in this specific incident shouldn't be too difficult.

Re: saner summary.

[orlanz]

People take the path of least resistance. Work the tickets that come in properly, delay till SLA on the whiners, and there is no SLA on emails. You take your time to respond that this email request should be submitted via a ticket.

I used to run a service desk and have had to deal with this many times. Executing on the emails is basically your actions speaking louder than your words.

Re:saner summary.

[eWarz]

Maybe, however since this was a government job, things are changed up ever so slightly. In most states a whistleblower law applies along with various public records acts. It's very different from working for a private employer. Your actions as a public employer are being held accountable by various laws that have been implemented in an attempt to protect the taxpayers. Someone's head is going to roll for this and I'm sure the IT guy will win out in the end unless he's hiding something.

Re:saner summary.

[AK+Marc]

Yes, that's how it always works. The innocent take blame more than the guilty. It's not what you know, it's who you know. Though the nepotism seems to nausiate those who believe in the meritocracy, so slashdot can't even discuss the tendency civilly.

Re:saner summary.

That really depends on the work environment. He may have known that if he brought it to the attention of his boss, he would have been blamed and possibly fired for it even though it wasn't his fault. Or maybe people were leaving private documents on public shares every few weeks and people were sick of reporting it.

If you found and fixed a seemingly minor security vulnerability that appeared to have gone unexploited, would you start ringing alarm bells or just consider it closed, make a note, and go about your day? if you forgot to make a note, is that fire-worthy? Depending on the job or the software, that's probably a weekly occurrence. Whose to say it's not the same sort of thing at his office?

Re:saner summary.

[Snotnose]

In the private sector your boss doesn't want to be bothered by all the screwups you fix. Dealing with screwups is part of your job, fix it and put it in your weekly status report.

Then again, I've never been in a position to reveal butt loads of SSNs either. Yet. bwa haa haaa.

Re:saner summary.

[Z00L00K]

Sometimes that's why companies pays people for early retirement. There's nothing to gain from firing someone as a scapegoat officially, it's better to keep stuff out of the news.

At least officially the person is retired. And the company may still have a hook on that person in case they need something.

Re:saner summary.

[Z00L00K]

Sometimes it's also better for management to not know everything, they may look like retards at first glance but if they were informed about every SNAFU that occurred they wouldn't be able to do their jobs.

It's also a security matter, if a manager knows everything that is to know then that person is also a security risk.

Re:saner summary.

[tburkhol]

If this guy was responsible for communicating with the outsource, and his order resulted in data contamination, then he is pretty much the only employee of the state available for personnel action.

I suppose they might cancel the contract with PCC, but that would be bad for the economy, disrupt state business for however long it takes to authorize a new contract, and likely has some breech of contract or early termination costs. Also, probably an admission of error at a much higher level

Re:saner summary.

[JaredOfEuropa]

I've worked with a few large corporations that had a pretty clear policy on this: if you suspect that sensitive data has been exposed, you must tell your boss or the infosec guys. They can then investigate whether any data was actually stolen, and take mitigating actions before having to read about the leak in the press. This makes sense. Dealing with screw ups is part of your job, but exposure of sensitive data is usually something that goes waaaay over your head or your pay grade. Not informing others about this breach certainly seems like something that warrants disciplinary action.

Re:saner summary.

[jgdnavy]

One thing that you're missing, at least according to the articles I read, is that when he became aware of the issue, he didn't report it, but simply removed the files. I've worked in government agencies dealing with PII before, and in almost all cases, knowledge of a breach of procedure like this requires reporting even if you don't have evidence that the data was ever accessed by an unauthorized party, with penaties ranging from internal discplinary actions to civil or criminal charges. While this doesn't mean he wasn't a scapegoat or that others shouldn't have also been fired, it does mean that it would be hard to argue wrongful termination when not reporting the action can be considered grounds for termination itself.

Re:saner summary.

[Applehu+Akbar]

"instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

Do IT people actually get to do this? And file such a suit without running into 'You'll never get work on this planet again'? Blaring his account to the media might have been the only way to redress this.

Re:saner summary.

[JackieBrown]

Do IT people actually get to do this? And file such a suit without running into 'You'll never get work on this planet again'? Blaring his account to the media might have been the only way to redress this.

If I was an employer, an employee airing complaints to the media about his former job would scare me more then knowing that he had filed an unlawful termination lawsuit.

Re:saner summary.

[DuckDodgers]

If your boss deserves a manager position, he or she should never make you feel like you need to hide an error.

Too bad that's a rare thing. Too many managers think their job is to be the overseer wielding the whip on the backs of the field workers instead of the person whose biggest role is running interference against the bureaucratic garbage that stop the team from being productive.

Re:saner summary.

[Zontar+The+Mindless]

I've worked with a few large corporations that had a pretty clear policy on this: if you suspect that sensitive data has been exposed, you must tell your boss or the infosec guys.

The large corporation that employs me has exactly this policy.

Re:saner summary.

[idontgno]

Experience says that whistle-blowing is the best and fastest way to get blackballed. I'm pretty sure "You'll never work on this planet again" is already the case.

Re:saner summary.

[BVis]

This guy is radioactive anyway. He was a scapegoat for people above him in the hierarchy fucking up. This is what people in power that fuck up do - instead of admitting they don't know everything and are not perfect, they pick a drone that they can spin a narrative around (out of whole cloth, basically) and sell it to the angry mob who doesn't understand the issues involved. Yes, it basically ends someone's career, but the important thing is that it isn't their career like it should be.

So, since his career in IT is over, it doesn't matter if he blows the whistle at this point - he'd never get a job in IT again no matter what.

And I take issue with the fact that a terminated employee should be punished further for telling the truth about a situation. Any time someone is punished for telling the truth, we all lose.

Re:saner summary.

[BVis]

Unless you're a member of a "protected group", and/or you can demonstrate explicitly illegal behavior (like wage violations), you will not win a wrongful termination lawsuit. Being made a scapegoat is not illegal behavior on the employer's part. In the eyes of the law, there is no injury to the former employee here - you can be fired for any time for any reason, or no reason at all. That is what "at-will" employment means. The burden is on the former employee to demonstrate the true reason why they were terminated, which is nearly impossible to prove when the former employer has possession of any documentation that would tend to incriminate them (and records get "accidentally" destroyed all the time).

The theory is that "at-will" is fair because just as your employer can end your employment at any time with no notice or justification, you can walk away from a job with no notice or justification. The truth of the matter is that losing your job is much more damaging to the individual than an employer losing an employee that it has deemed a liability (or wants to make a scapegoat of).

Re:saner summary.

" ... the only employee of the state available for personnel action."

Brian Kemp stated clearly he takes all responsibility. He should therefore fire himself.

Re:saner summary.

[BVis]

What has the employer done wrong here? They fired him. They don't legally need a reason or a justification. Anyone can be fired at any time with no notice, justification, or recourse. Making a scapegoat out of someone is not illegal.

There is no winning if he files a wrongful termination lawsuit. He will lose the suit, and further destroy his employability. Being blamed for a data breach is one thing (he's probably unemployable just because he got blamed for it, right or wrong) but if an employer sees that firing someone will be harder than they think it should be, they won't touch him.

Re:saner summary.

[WindBourne]

Actually, if I were him, I would sue for wrongful termination, but no money other than legal fees. Basically, I would want my name cleared of that. It is obvious that the Secretary of State and the gov are trying to cover up their own misdeeds. After all, why were they requesting that data?

Re:saner summary.

[JackieBrown]

And I take issue with the fact that a terminated employee should be punished further for telling the truth about a situation. Any time someone is punished for telling the truth, we all lose.

I don't disagree. I was commenting on the post that said that career wise, it is better for people to go to the public media to broadcast the situation versus a private lawsuit.

Re:saner summary.

[JourneymanMereel]

The vendor needs to be taken to task. The vendor has security access to the data. Supposedly, the staff of the vendor should have been trained properly. Also, even if the public agency didn't disclose the breach. The vendor should have publicly disclosed the breach. It obviously didn't either.

This

Like many people on this site, I work in IT. I get requests for access to data all the time. Some are obvious that they should be granted (a new manager is hired and they ask for access to the management section of the file server). Some are obvious they shouldn't be granted (an engineer asks for access to our controlled documents, which by company policy are restricted to only 2 people [uncontrolled versions are available to larger groups]). Some are less obvious. In those cases, I typically push the request up to somebody who has the authority to authorize (or reject) the request... though not the ability to grant the access.

A request asking that all employees social security numbers and birth dates be published to the public most definitely would fall in the "obvious they shouldn't be granted" category. Seriously, who thought for one second that was a good idea. If I had a request come in to put that list together for anybody, let alone public consumption, you can bet I wouldn't rush to get it done (article says it was same day turn-around). I'd run it as high up the flag pole as I could and get a top level sign-off on it... even if the message said it had been approved by the company lawyers. Somebody should have figured out that Social Security Numbers and Public Access don't go in the same sentence.

Re:saner summary.

[clovis]

IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

This^
Thanks, you said it better than I did.

Why is this not a surprise?

[schwit1]

It's always a minion that gets blamed and the punished. The prisoners are tortured at Abu Ghraib, and only the underlings go to jail. Their bosses knew. The bosses always know or should have known.

Nothing will change until top people like Brian Kemp or the former head of OPM are thrown into jail for years.

Re:Why is this not a surprise?

It's always a minion that gets blamed and the punished.

Six Phases of a Project

* Enthusiasm
* Disillusionment
* Panic
* Search for guilty
* Punishment of innocent
* Praise and honour for non participants

Re: Why is this not a surprise?

Donald Trump is still in the running because:

1) Republicans are *that* angry that the world didn't go ka-blooey...

Maybe the world didn't go ka-blooey. But a while back I came across some blog post on the internet about how hard it would be to choose if you were granted a single wish. And I thought, "That's not hard at all. I'd wish to have never been born."

The mainstream Democrats and Republicans are a good choice if the last couple decades have been good to you - if you're happy with the direction that the USA is headed and want more of the the same.

Myself, I'm tired of being a slow boiled frog - seeing politicians like Obama and Hillary preside over ever increasing income inequality. I lay awake in the wee hours of the morning with cold fear in the pit of my stomach wondering how I'm going to feed my family when my current job contract runs out - utterly exhausted from giving everything I have to my job and barely even having time to see my family at all - and knowing that it may not be good enough to avoid seeing my family fall into poverty.

Am I supposed to prefer Hillary to Donald Trump - when the main focus of her campaign is about how men have it too good and need to be knocked down a peg or two? Yeah, sure, why not vote for Hillary so she can make my life more difficult than it already is?

Maybe Trump would make things worse and maybe he would make things better. But, personally, if there's one thing I'm clear on, it's that I desperately don't want more of the same.

Re: Why is this not a surprise?

[AK+Marc]

Everyone you name is in the US. It's quite easy to leave the US. Pick a better place. There are many.

It shouldn't be between Trump and Clinton. The polls show Bernie leading Hillary, and that Bernie against trump would end in a Bernie victory. So Trump or Clinton is a false dichotomy. It could be Bernie. And if you don't like the choices, move. After a reelection of Bush, I figured there was nothing that could save the US, so I moved o a better place. Lower taxes, free health care, and better civil liberties. Such places exist.

Re: Why is this not a surprise?

[AK+Marc]

But it sure as hell wasn't easy - not if you're moving your whole family on a limited budget.

It wasn't hard to move a family of 4 half way around the world. The single largest expense in the exercise was shipping so much stuff with us. Next time, we'll leave more of our things behind. That'll cut the moving cost significantly. Showed up with about 3 months salary savings, no job, no place to live (a hotel reservation for a week). Found a longer hotel for a larger room at a cheaper price, bought a cheap car, and scouted out the new city, found a job, rented a house, and all that. Rented for a few years to save up for a down payment and bought a house 2 years into living in a new country. And you can get by with English-only in Denmark, and it's not as cold as some of the other Scandinavian countries. A little frugal living before and after the move, and you can pull it off.

Re: Why is this not a surprise?

[Hognoxious]

Right. Because Americans are so fucking awesome that all you have to is turn up anywhere else and they grant you instant citizenship.

Re: Why is this not a surprise?

[Zontar+The+Mindless]

No, just no. Fatalism and feeling guilty over your own existence is absolutely no way to live, and despite what you might be telling yourself, you don't really want to die.

Please get into counselling with a suitable professional ASAP.

Begin the process by calling a mental health or suicide prevention hotline *right now*.

Re: Why is this not a surprise?

[operagost]

Denmark is great if you don't mind xenophobia and state religion. Oh, and being prosecuted for "hate speech" if you criticize anyone's religion.

Re: Why is this not a surprise?

[sjames]

Trump is just more of the same only louder. I don't have much hope that the guy who was proud to be known for yelling "you're fired" is going to have any empathy for the unemployed. No, I don't suggest Hillary as an alternative. Your best shot is to vote in the primary hoping to get not Trump or not Hillary.

Re: Why is this not a surprise?

[AK+Marc]

Yes, when 99 things are better and one is worse, the rabid nationalists will ignore the 99 and assert the 1 is the most important. For someone that can rate everything on a reasonable scale, Denmark is better than the USA.

Blame game

[penguinoid]

It was all 100% the sacrificial lamb's fault.

This message has been approved by YAHWEH.

His career is over

Unless he's got some dream friends in high places, his career is over. When he gives for anther job - right or wrong - potential employer will see he went public.

It's worse if he tries to consult on his own.

Re:His career is over

[suutar]

His career was over when he got tagged for causing a huge data breach. At least this way he's unemployable for something he actually did.

FINALLY SOMEONE IS FIRED!

Doesn't matter if it's not the best to be fired, just as long as someone is made accountable! Go Georgia State!

The most confusing part:

Why is there a link to the article, that talks about this other link to the actual article. That's just weird.

I'm not surprised.

[gargleblast]

It's not every day a data breach speaks out.

Re:I'm not surprised.

[cdrudge]

It's a horrible headline.

Did the data breach speak out and cause the IT worker to be fired?
Was the IT worker fired because he spoke out about the data breach?
Was the IT worker already fired because of the data breach now speaking out?

The proper headline would read "IT Worker Speaks Out After Being Fired for Massive Georgia Data Breach"

shit article

[n3r0.m4dski11z]

I dont usually complain about articles but what the fuck slashdot

"To read more about what Cooley said in our exclusive interview, look for updates on [stupid other website]"

I was actually interested in this shit! that article says no fucking thing.

Re:shit article

First, you're expecting someone to click not only on TFA, but one of four links in the summary, then click on one of three other links within one of those links, and then recognize that, by hovering on the link, that unlike all other websites in the last decade, some text labeled "www.myajc.com" doesn't actually link to the main site of http://www.myajc.com/ but the specific article with more info ...?

You're the sort of employee that is awesome, and the sort of employer that I dread to work for. Hope you're not too far up the totem pole!

Re:shit article

[lloid]

They are the same company, but the actual meat of the article is behind their stupid paywall. They have a shitty model for a news site, which is give you random bits of info, but not the ones you want, then ask for money.

Re:Doesn't matter

[Fallen+Kell]

Obviously didn't read the article or the article that the article talks about. If you had read it, you would know that the person fired had requested from the people who have access to the real data for a second file to be created which included the social security numbers, etc., to be combined with the data in the voter registry (after himself being requested to provide the data in that format to another group internally at the State, and after having received confirmation and approval from the lawyers and boss to provide the data in that format to that group).

The F-up was that the people he requested for the separate new format data misunderstood the request and instead of creating a new file with the new format, simply updated the existing voter registration data and left it in the normal location that voter registration data always existed and didn't notify the person who was fired that they had made the changes like that. It wasn't until the person who was fired asked the contractor for an update on the new configuration that he was informed that it was done the day of the request and that they simply updated the voter registration file with the data.

The only mistake that the person fired made was that he then simply yanked and sanitized the voter registration file to remove those fields (since it shouldn't be in the voter registration file) and ran a search to try and see if anyone had accessed and copied the file (which didn't turn up anything). So he figured everything was caught before any damage could have been done. However, what he didn't know was that someone else had accessed and copied the file, but copied it to a place they were not suppose to copy it to (which is why the search turned up that no one had accessed the file), and then didn't review the file (again, as per policy for all files being sent out) for anything that shouldn't be sent out, and made CDs/DVDs of the copied file and sent them out to the 12 organizations/groups/individuals that always receive the monthly voter registration data.

Re: Doesn't matter

[BarbaraHudson]

Except that the summary made it clear that he was not the person who posted the data, nor the one who made copies and distributed them without checking the contents.

birth dates and social security numbers

[NostalgiaForInfinity]

People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

Re:birth dates and social security numbers

[bzipitidoo]

Yes, this! None of this info is private! And so, there was no data breach. Not only is the poor employee being blamed for an action that he didn't do, it wasn't or shouldn't even be problematic.

Further, if the info was thought so sensitive, why was it evidently stored without encryption? Who didn't encrypt the data? For decades, passwords have been transformed with secure one way hashes, and not even the system admins can view the originals. (May still be crackable, but that's another issue.) User names, user IDs, on the other hand, are still stored plainly, as they should be, because they aren't private, aren't meant to be private, no matter how much banks and others try to tell everyone to keep your user name a big secret. The systems can't function if there is no way to match actions to identities. How the heck is a citizen to renew a driver's license without an ID? Some sort of ID is essential, or we will be unable to keep records of who has what, and, who is allowed to drive. Don't want people incapable of driving trying to do so, and causing wrecks and injuries.

No, this firing is total political and security theater. It's also one of the downsides to being recognized as smart. You're easier to blame mistakes on. You should have known better, because you're so smart.

Re:birth dates and social security numbers

[crackspackle]

People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

Yes, but the only real practical way to do this is tie the key to biometric information such that when that private key or the signing authority get's compromised, you can get a new key by a) being alive and b) matching the biometric data. It should work at least until we can start duplicating people. Of course, if you tried to suggest such a thing in earnest, you'd be bombarded left and right by the civil libertarians and the religious wingnuts, government intrusion or mark of the beast , take your pick. Personally, I am the former and hare the idea although I know it's the only way.

Re:birth dates and social security numbers

[NostalgiaForInfinity]

Yes, but the only real practical way to do this is tie the key to biometric information such that when that private key or the signing authority get's compromised, you can get a new key by a) being alive and b) matching the biometric data.

You don't need online biometric information. A simple off-line photograph and fingerprint are enough. Sworn affidavits may also be used to replace some of those identifiers. That is, if you lose your identification card, you go to an office and re-establish your identity, and that process may be more cumbersome than merely some automated online process.

hmm

[sociocapitalist]

"The new file, he told them in an email, should include the same layout as the state’s regular statewide voter file. But, he said, it needed an addition of the three new data fields with the sensitive information."

Should be easy enough to verify this if the email hasn't been deleted or modified. If the request was to put the fields in a new file, onus on the other party. If not, onus on the Cooley.

Re:hmm

[youngjeffrey]

And what if the email says literally what is reported there and nothing else: "The new file should include the same layout as the regular voter file but with the addition of the three new data fields." Is it "easy to verify" which of your two cases is the case? No, it's ambiguous. Onus where then?

Re:hmm

[sociocapitalist]

And what if the email says literally what is reported there and nothing else: "The new file should include the same layout as the regular voter file but with the addition of the three new data fields." Is it "easy to verify" which of your two cases is the case? No, it's ambiguous. Onus where then?

To me that is not ambiguous.

There is an existing file referenced by the website. If the requester specifies a new file, that does not mean to change the existing file.

N'est pas?

Scott-free for Kemp

[RubberDogBone]

The Sec of State in GA is an elected position and as a result Kemp answers to no-one, not even the Governor. Kemp answers to the voters, only. And only on election day. And in this state the voters are probably going to give a blank stare about all of this mess. Burning CDs is majick wizard stuff.

So Kemp will be re-elected next round.

Why are voter records and SSN numbers ever merged?

[bhmit1]

"Cooley said the story began in late summer when the Secretary of State’s Office received a request from the Georgia Department of Revenue. The state agency, he said, wanted regular voter files plus something not given out to the public: voters’ Social Security numbers, birth dates and driver’s license numbers."

I can understand voter records including an address and birth date (verifying someone is old enough to vote and in the right precinct, and easier distinguishing between multiple people in a home with the same or similar name). But why do voter records need to include social security numbers and drivers license numbers? And why does the department of revenue need to see a list of voters? You should be able to vote without driving a car, social security numbers should only be used for social security and taxes, and voting shouldn't come with the threat of a government auditor showing up at your door. If the information isn't tracked and stored, then it can't be leaked or abused.

Data Breach

I'll be eagerly watching. With a headline as tantilizing as that, I wanna hear what the massive Georgia data breach said that caused the IT worker to get fired.

The really sad part

[jmcwork]

They are making him train his H1B replacement.

Re:Doesn't matter

[youngjeffrey]

No, that's not the *only* mistake he made. He also did not follow up on what happened with an *uber-sensitive* data request for *10 days*. (Nor check up on the existing public file for which he was responsible for the same period.)

Re: Doesn't matter

[youngjeffrey]

Sorry, but that's a non-exculpatory "see no evil" rationale. Hint: the word you are looking for is "responsible" rather than "posted" or "distributed".

Re: Doesn't matter

[BarbaraHudson]

He's still not the responsible party. The outside contractor screwed up, and as soon as it came to his attention, he acted.