Ohio Data Leak Gets Pinned On The Intern
from the passing-the-buck-eye dept
You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern's car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he's being made the scapegoat for the loss. Despite the governor's claims to the contrary, of course the intern's being scapegoated, even though he apparently was just doing what he was told. That's how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he'd been given, and that the real problem here was a flawed security plan that was either devised by an idiot, or, more likely, by somebody who didn't take the security of other people's personal info very seriously. That's the problem here: nobody seems to care when it's other people's data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it's not a good one. Until that changes -- and the scapegoating and responsibility shirking stops -- data leaks and breaches are going to keep on coming.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breaches, identity theft, ohio, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
now let's sit back and watch the flame war begin, and be sure to read the other article about flame wars, you may want to be careful on what you say :)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Use Encryption people!
[ link to this | view in chronology ]
Re: Use Encryption people!
No reasonable person would argue that this was a big smack in the face for some obviously less than cautious people... but keep in mind how difficult of a job they have of protecting that sensitive data... all while not spending a dime of those person's tax money.
[ link to this | view in chronology ]
Re: Re: Use Encryption people!
[ link to this | view in chronology ]
Oh Please.
[ link to this | view in chronology ]
Re: Oh Please.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
he should sue from wrongful termination.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Intern Fired
I don't care that his car was not locked. I live in a place where you can leave things unlocked. But regardless the thief is who stole the drive.
The persons that are responsible are, the one to come up with the idea of the take home hard drive, and the one that signed off on the idea.
As they are civil servants, no merit raises, no promotions, and they should be put at the bottom step of their pay grade.
The only other option, their resignation.
[ link to this | view in chronology ]
It's the interns fault, as well as the fault of whatever 'management' decided that was a good data protection policy.
[ link to this | view in chronology ]
Plenty of blame to go around
Weak link #2: Procedures that require said intern to take tape home with him (bad design)
Weak link #3: Poor encryption standards that would allow critical data like this to even potentially be usable by a 3rd party (bad choice)
So, let's make sure every failure point gets addressed. The intern should certainly be canned (with cause), but the systems and policies ALSO need overhauling.
[ link to this | view in chronology ]
Re: Plenty of blame to go around
[ link to this | view in chronology ]
How can people blame the intern???
"Hey Joe, take this thing home with you tonight."
"Sure, Mac, what is it?"
"Just some backups. We like to have a couple copies off-site every night. I'm taking one too. I would have given yours to Sam, but he's already left."
"I'm not so comfortable with that - what if something happens?"
"What's gonna happen? Just throw the thing in your car and bring it back in tomorrow. Besides, it's policy that two different people have backups. You wouldn't want to get fired for refusing to follow policy, would ya?"
I love geniuses that pass the buck onto an intern that just wants to do his internship, without hassle, so that he gets a reference.
[ link to this | view in chronology ]
Why was an intern given so much sensitive data?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
An intern by definition is learning on the job, and my home state has provided a really bad example of how to handle sensitive data. He shouldn't be fired because the state has failed to put together a competent disaster recovery program. It was the state that failed to protect the identity of state employees, not the intern.
[ link to this | view in chronology ]
I think we can all agree...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NoName is right
Second, the intern claims that he was simply told to take the backup home overnight and return it the next day, and the issue of how to secure the backup was never discussed. Again, if that's true, then the fault was with the creators/implementers of the protocol above the lowly intern.
NoName is correct...if they want the tape secured, they have to be very explicit about what they mean by that. You can't just give employees vague duties and then fire them when they don't follow the specifics you, as a supervisor, should have given them in the first place.
[ link to this | view in chronology ]
supervisors
[ link to this | view in chronology ]
Gimme a break...
The intern was hopelessly inept.
Kinda reminds me of the second year student that couldn't figure out why he couldn't get a 11,000 string array to run worth a crap (in 1999). Why aren't the fundamentals being taught and stressed?
I wrote the governor - as I am in Ohio - and advised that he consider also canning the kid's immediate super, too. The intern had only been with the state for two months when he was charged with the back-up duties. You trust an intern with only two months track record with that stuff? I think not! It also was not - by his own admission - his first time leaving it in a car.
Only a moron leaves such important data in such an environment to begin with
For the record - one ALWAYS keeps a back-up of critical data off-site. If you keep it on site and say - there's a theft, or tornado - or highly destructive fire - then you have no back-up at all - or original data either. That's why you keep one off site, the classic back-up schedule and protocol cited is the one devised by Planned Parenthood a couple of decades ago. And that is almost certainly the model used. After all - it takes a mighty safe to also be BOMB proof. A safe alone is not proper security - if the safe is on location where the originating data is.
I don't know if the Gov ever actually saw my letter - but I did advise him of a company in Columbus that would certainly provide the utmost in data security - and if you need one they are also a very flexible and excellent host - JTLnet. They could deposit their back-ups with JTLnet at almost any hour of the day since they staff 24/7 --- or even backup over the wire -- or both.
Finally - the intern was 22 - does his mom still wipe the doo doo off his fanny? How on earth do you get to 22 and be that irresponsible in that sort of position?
There is zip zero excuse for the way the intern handled the data he was charged with protecting.
[ link to this | view in chronology ]
Re: Gimme a break...
After all your bandwagon ranting, you never did state just what you thought the intern should have done. So how about it, just what you thought the intern should have done?
[ link to this | view in chronology ]
Hmmm ...
[ link to this | view in chronology ]
Intern Scapegoat
[ link to this | view in chronology ]
Ohio Data Leak
Rick In Michigan
[ link to this | view in chronology ]
Re: Ohio Data Leak
The back up tape that was stolen was created on a faulty tape drive that had mis-aligned heads, so the data would only be readable by that tape drive or with sophisticated equipment.
There is no evidence that the data had been accessed.
His information was on the tape too, but he was not worried.
These are all a crock!
The state is paying for a credit verification service called Debix. This service will block any credit verifications until you are contacted and you supply them with your PIN. This service is being provided for 1 year. What happens in year two when the thieves of the tape drive start selling your information off and you are no longer protected? Why should I have to be forced to pay for this kind of protection for the rest of my life because some dip shit intern, and his management team are incompetent?
For the record I have contacted my state rep. and Mike Foley has not returned any of my emails. This ass clown will not be getting my vote next election. In Fact I will be actively campaigning for who ever runs against him.
[ link to this | view in chronology ]