Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Worker Fired After Massive Georgia Data Breach Speaks Out (ajc.com)

Posted by samzenpus on from the holding-the-bag dept.

McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.

Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.

Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

5 of 113 comments (clear)

  1. saner summary. by nimbius · · Score: 5, Informative

    for those unwilling to shuffle through two links and random popups, heres the situation:

    Cooley doesnt seem to be an IT guy at all, just a liaison for an IT outsource firm that handles the data for Georgia. his department got a request from the revenue department for the data. Cooley then got approval from his departments lawyers and requested the new datafile with sensitive info. The vendor however didnt understand the request and put the sensitive data on a public network share. Cooley quickly removed it from the share, but --and this is key-- an entirely separate group of people copied the file, burned it to CD, and released it to a far broader audience. Cooley did his job, but is being blamed for something hes entirely not a part of. Namely, some other agencies cock-up.

    instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.

    --
    Good people go to bed earlier.
    1. Re:saner summary. by s.petry · · Score: 4, Interesting

      "At will" does not mean what you are implying. Wrongful terminations are quite possible, though obviously difficult to prove without extreme circumstances. This guy has extreme circumstances, and a politician on record saying they fired the responsible employee. Libel and Slander are also possible given this situation, so as a hunch the State of GA will be handing this guy a big pile of hush money^W^W^W^Wcheck for damages.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    2. Re:saner summary. by clovis · · Score: 5, Interesting

      They were right to fire him, but not for what he did, but what he did not do.
      The data was exposed for 10 days, and he fixed that the instant he discovered the exposure.

      What he did not do was tell his boss about it.

        His boss was put into the position of walking into a meeting with his dick hanging out, and he could have known, but the one guy who did know " thought it was ok"

      Of all the sins an employee can make, it is a thousand times worse if the boss finds out about a screwup in his department from guy at the top, or worse, the newspaper, or worse yet, the lawyers.

    3. Re:saner summary. by Anonymous Coward · · Score: 4, Interesting

      The miscommunication still falls on the person directly managing the situation, even if they weren't qualified to understand the problem.

      You don't need to be a carpenter to run a general contracting company and build homes, but if your build faulty homes and someone gets hurt it still lands on your head. You can try to blame a sub-contractor, but one of the main reasons people hire general contractors is to manage all the multiple elements of a complex build.

      If Cooley did not fully understand what was going on or did no fully communicate his needs, that's his fault, especially as the person effectively in charge of the project. Of course Cooley's boss should still take the brunt of the blame because that's how you root out bad management.

      The people who posted this info must have had access to it, any reason able amount of follow through should have alerted them that a large amount of sensitive data was being posted publicly. I've been in plenty of IT situation where I had to real in security because everyone else was oblivious, even though that was clearly not my job role. IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

  2. I'm not surprised. by gargleblast · · Score: 4, Insightful

    It's not every day a data breach speaks out.