IT Worker Fired After Massive Georgia Data Breach Speaks Out

McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.

Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.

Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

Users blaming IT

News at 11:00

saner summary.

[nimbius]

for those unwilling to shuffle through two links and random popups, heres the situation:

Cooley doesnt seem to be an IT guy at all, just a liaison for an IT outsource firm that handles the data for Georgia. his department got a request from the revenue department for the data. Cooley then got approval from his departments lawyers and requested the new datafile with sensitive info. The vendor however didnt understand the request and put the sensitive data on a public network share. Cooley quickly removed it from the share, but --and this is key-- an entirely separate group of people copied the file, burned it to CD, and released it to a far broader audience. Cooley did his job, but is being blamed for something hes entirely not a part of. Namely, some other agencies cock-up.

instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.

Re:saner summary.

[fred911]

"instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

  Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
him with or without cause. Without knowing if there was an employment contract it's just speculation.

Re:saner summary.

[s.petry]

"At will" does not mean what you are implying. Wrongful terminations are quite possible, though obviously difficult to prove without extreme circumstances. This guy has extreme circumstances, and a politician on record saying they fired the responsible employee. Libel and Slander are also possible given this situation, so as a hunch the State of GA will be handing this guy a big pile of hush money^W^W^W^Wcheck for damages.

Re:saner summary.

[clovis]

They were right to fire him, but not for what he did, but what he did not do.
The data was exposed for 10 days, and he fixed that the instant he discovered the exposure.

What he did not do was tell his boss about it.

  His boss was put into the position of walking into a meeting with his dick hanging out, and he could have known, but the one guy who did know " thought it was ok"

Of all the sins an employee can make, it is a thousand times worse if the boss finds out about a screwup in his department from guy at the top, or worse, the newspaper, or worse yet, the lawyers.

Re:saner summary.

The miscommunication still falls on the person directly managing the situation, even if they weren't qualified to understand the problem.

You don't need to be a carpenter to run a general contracting company and build homes, but if your build faulty homes and someone gets hurt it still lands on your head. You can try to blame a sub-contractor, but one of the main reasons people hire general contractors is to manage all the multiple elements of a complex build.

If Cooley did not fully understand what was going on or did no fully communicate his needs, that's his fault, especially as the person effectively in charge of the project. Of course Cooley's boss should still take the brunt of the blame because that's how you root out bad management.

The people who posted this info must have had access to it, any reason able amount of follow through should have alerted them that a large amount of sensitive data was being posted publicly. I've been in plenty of IT situation where I had to real in security because everyone else was oblivious, even though that was clearly not my job role. IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

Re:saner summary.

[l0n3s0m3phr34k]

Seeing that this is all over the news, and Georgia Secretary of State Brian Kemp has made multiple public statements about the firing, absolute proof in this specific incident shouldn't be too difficult.

Re:saner summary.

[idontgno]

Experience says that whistle-blowing is the best and fastest way to get blackballed. I'm pretty sure "You'll never work on this planet again" is already the case.

Re:saner summary.

[clovis]

IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

This^
Thanks, you said it better than I did.

Why is this not a surprise?

[schwit1]

It's always a minion that gets blamed and the punished. The prisoners are tortured at Abu Ghraib, and only the underlings go to jail. Their bosses knew. The bosses always know or should have known.

Nothing will change until top people like Brian Kemp or the former head of OPM are thrown into jail for years.

I'm not surprised.

[gargleblast]

It's not every day a data breach speaks out.

Re:Doesn't matter

[Fallen+Kell]

Obviously didn't read the article or the article that the article talks about. If you had read it, you would know that the person fired had requested from the people who have access to the real data for a second file to be created which included the social security numbers, etc., to be combined with the data in the voter registry (after himself being requested to provide the data in that format to another group internally at the State, and after having received confirmation and approval from the lawyers and boss to provide the data in that format to that group).

The F-up was that the people he requested for the separate new format data misunderstood the request and instead of creating a new file with the new format, simply updated the existing voter registration data and left it in the normal location that voter registration data always existed and didn't notify the person who was fired that they had made the changes like that. It wasn't until the person who was fired asked the contractor for an update on the new configuration that he was informed that it was done the day of the request and that they simply updated the voter registration file with the data.

The only mistake that the person fired made was that he then simply yanked and sanitized the voter registration file to remove those fields (since it shouldn't be in the voter registration file) and ran a search to try and see if anyone had accessed and copied the file (which didn't turn up anything). So he figured everything was caught before any damage could have been done. However, what he didn't know was that someone else had accessed and copied the file, but copied it to a place they were not suppose to copy it to (which is why the search turned up that no one had accessed the file), and then didn't review the file (again, as per policy for all files being sent out) for anything that shouldn't be sent out, and made CDs/DVDs of the copied file and sent them out to the 12 organizations/groups/individuals that always receive the monthly voter registration data.

birth dates and social security numbers

[NostalgiaForInfinity]

People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

Re:shit article

[lloid]

They are the same company, but the actual meat of the article is behind their stupid paywall. They have a shitty model for a news site, which is give you random bits of info, but not the ones you want, then ask for money.

Re:His career is over

[suutar]

His career was over when he got tagged for causing a huge data breach. At least this way he's unemployable for something he actually did.