Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Intern Loses 800,000 Social Security Numbers

Zonk posted more than 7 years ago | from the bad-day-bad-day dept.

Security 492

destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."

cancel ×

492 comments

Sorry! There are no comments related to the filter you selected.

Scapegoat? Maybe, but he's still a moron. (5, Insightful)

SatanicPuppy (611928) | more than 7 years ago | (#20009793)

"So what did you learn interning this summer?"
"DIAF."

I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.

I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!

Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?

Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.

Re:Scapegoat? Maybe, but he's still a moron. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20009901)

While your rant has some good points. But, in my opinion, this should be placed on everyone's heads all the way to the top.

Ah, who am I kidding? With the current administration, not gonna happen.

If I've learned anything from former CIA & FEMA leaders, this intern's on his way to being fired and then given our nation's highest honor and medal for taking the fall for someone else.

Are you really trying to blame Bush? (4, Funny)

benhocking (724439) | more than 7 years ago | (#20009987)

First, someone decided to blame the Scaled Composites explosion on Bush and now this? I don't like Bush, either, but there are (still) limits to his power, you know.

Re:Are you really trying to blame Bush? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20010063)

First, someone decided to blame the Scaled Composites explosion on Bush and now this? I don't like Bush, either, but there are (still) limits to his power, you know.
No one's blaming this on him. Just asking why he or anyone of his cabinet members never takes responsibility and owns up to messes they've made.

"It's someone else's fault but you're lucky you have me cause I'll fix it!"
Should be:

"I'm in charge of a system that's broken and I am partly at fault for that. It will be fixed though, these processes will be improved."
But, you know, I've never once heard Bush personally say that he's responsible for anything--you can't trust people like that.

Re:Are you really trying to blame Bush? (1)

markov_chain (202465) | more than 7 years ago | (#20010105)

That's what they want you to think!

Yes, I am (5, Funny)

Anonymous Coward | more than 7 years ago | (#20010159)

I stubbed my toe this morning on my coffee table. Explain to me how that is NOT Bush's fault. You got no answer for that one, huh?

Re:Scapegoat? Maybe, but he's still a moron. (5, Insightful)

baudilus (665036) | more than 7 years ago | (#20009929)

It doesn't necessarily mean that the criminal element is more tech savvy, but in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable. Heck, even a crackhead would recognize that and try to sell them for a few bucks, not knowing what he really had. The real travesty here is the fact that the tapes were unencrypted. The intern himself could've taken the tapes home, read and copied all the data, returned the tapes, and no one would have known. If you don't want to pay for off-site storage, at least encrypt your data!

Re:Scapegoat? Maybe, but he's still a moron. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#20010123)

but in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable.P. I kind of question whether the typical car thief has any idea how to sell data from DLT tapes. Most likely, they would sell them to some company willing to buy used DLT's for $5 each instead of $25-$50, though the fact they were stolen from a government parking lot implies the criminal MAY have been looking for such a lapse.

Re:Scapegoat? Maybe, but he's still a moron. (3, Insightful)

MrNaz (730548) | more than 7 years ago | (#20010403)

My initial tinfoil hat response is this:
Someone on the outside was paying the $125 consultant for the data, so the consultant set up that little scenario so his buddies on the outside could get their hands on the data, making what was an espionage job look like a little bit of regular garden variety bureaucratic incompetence.

Re:Scapegoat? Maybe, but he's still a moron. (0)

Anonymous Coward | more than 7 years ago | (#20010319)

Automated backups are encrypted now? When did this happen?

Re:Scapegoat? Maybe, but he's still a moron. (2, Insightful)

lawpoop (604919) | more than 7 years ago | (#20010387)

in today's world it's quite apparent that data tapes (usually marked with the size of the tapes, i.e. 50GB, 100GB, etc.) usually mean sensitive information - which is usually salable. Heck, even a crackhead would recognize that and try to sell them for a few bucks, not knowing what he really had.
I don't see how a crackhead could line this deal up. Their only market seems to be the pawnshop and the street corner.

I take it that you are a relatively savvy tech-head geek. Would you be able to line up a buyer for social security or other personal information?

Re:Scapegoat? Maybe, but he's still a moron. (2, Insightful)

loafula (1080631) | more than 7 years ago | (#20010071)

i'm willing to bet whoever stole the tapes from the car didn't know what the hell he or she was stealing. they went in for the radar detector, saw the tapes, and grabbed them cause they were there. their probably at the bottom of some restaurant's dumpster by now. or well burnt and buried in the woods. you can't blame the intern too much, though. any institution who's policy is to bring the tapes home probably doesn't stress data security all that much, and him being an intern means he probably doesn't have all that much experience to know just how important it is.

Re:Scapegoat? Maybe, but he's still a moron. (2, Interesting)

SatanicPuppy (611928) | more than 7 years ago | (#20010199)

He's 22! If someone handed me a stack of backup tapes to take home when I was 16 I might have done it, but not at 22! Anything you take home from work is a risk, you should know that by that point.

That being said, yea, the organization is primarily at fault. This is their offsite storage method, according to their disaster of a recovery plan. That it hasn't bitten them in the ass before this is nothing more than luck.

Re:Scapegoat? Maybe, but he's still a moron. (1)

SatanicPuppy (611928) | more than 7 years ago | (#20010229)

Crap. Replied to the wrong post. Sorry about that. Puppy needs more coffee.

Re:Scapegoat? Maybe, but he's still a moron. (1)

loafula (1080631) | more than 7 years ago | (#20010299)

heh heh.. its all good.

Re:Scapegoat? Maybe, but he's still a moron. (5, Insightful)

TapeCutter (624760) | more than 7 years ago | (#20010153)

"Sounds like the whole organization was rotten though, so it's hard to blame them."

As someone who spent a decade or so as a "fricking consultant" I don't find it hard to blame him. If Mr. $125/hr was a half competent consultant he should at the very least have email evidence to show that he tried to change this retarded procedure but was vetoed by his superior. If he has such evidence then rinse & repeat up the PHB ladder.

Re:Scapegoat? Maybe, but he's still a moron. (4, Insightful)

Oligonicella (659917) | more than 7 years ago | (#20010245)

Very much in agreement with you.

As a 30+ year consultant, I've banged my head numerous times against stupid 'security'. Many times, I simply refused to follow their procedures. Let some company goon do the stupid thing. I'm paid to be an analyst and if I spot a problem and report it, I'm certainly not going to follow procedures I myself have labeled as bad.

The consultant is the primary blame and the intern a very far second. Just because a company has bad procedures doesn't mean you follow them.

Re:Scapegoat? Maybe, but he's still a moron. (4, Interesting)

Alizarin Erythrosin (457981) | more than 7 years ago | (#20010195)

Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?

Part of me always thinks some of these stories are really fishy...

I mean, he tells the intern to take the tapes home, but bring them back tomorrow. Which is pretty stupid in its own right, but let's throw a little conspiracy angle in. The consultant sells the data on the tapes, but he just can't hand it over, so he tells an intern to take these tapes home and bring them back tomorrow. Tapes get stolen, consultant's deal goes off, the buyer gets his data, and it becomes an everyday incident of "My car got broken into and everything was taken!"

People take laptops home for one night and it gets stolen, and it just so happens to have a million people's information on it. Over and over. I realize that things need to be encrypted, but still... the conspiracy angle dictates that not encrypting the data in these cases is the goal.

Re:Scapegoat? Maybe, but he's still a moron. (4, Interesting)

SatanicPuppy (611928) | more than 7 years ago | (#20010363)

Yea, that's kinda what I was thinking wrt the "Tech savviness of the modern criminal."

You have to accept that the same kind of criminal who is going to bust your window to steal crap out of your car is going to snag a few tapes, contents unknown, on the principle that he can sell it to someone? Even if the stuff turns out to be valuable, he won't make any real money off of it because (assuming he actually knows of someone who would buy SSNs) the buyer would be free to misrepresent the value.

I'd say this is a targeted theft by someone who knew damn well that those tapes would be going home with someone...Easy information to have because you know that, as many consultants as they've cycled through that place, tons of people knew their policy.

Also, scam sites are going to be all over this (2, Insightful)

sgant (178166) | more than 7 years ago | (#20010205)

I can see it now, spam email going out saying "due to the recent theft of Social Security numbers, please check here to see if your number was stolen. Just input your number here, and we'll tell you if yours was part of the theft...have a nice day..."

Re:Scapegoat? Maybe, but he's still a moron. (1)

The Real Toad King (981874) | more than 7 years ago | (#20010233)

The criminal element seems to be quite tech savvy these days

Do you live on /.? Where I live, there's robberies, murders, and all types of non-tech related crimes all over the place. Hell, even a couple years ago, my dad's golf clubs got robbed when he left the garage door open when going out one night. The only reason these don't get the big headlines is because of the magnitude of them. 800,000 social security numbers stolen just has more of a kick to it than some 40 year old father having his golf clubs stolen.

Of course, I live in Oakland County, Michigan, which is just on the outskirts of Detroit...

Re:Scapegoat? Maybe, but he's still a moron. (1)

hcdejong (561314) | more than 7 years ago | (#20010287)

IMO there's nothing wrong with sending tapes home with people. You could set up a round robin, with tapes from building A being stored in building B, but that's not inherently more secure than someone having the tapes at home. You're going to have to set up some sort of secure storage anyway.
Leaving the tapes in a car overnight is stupid, though.

The biggest problem with moving tapes around is that you have to make sure they're not moved in a car with a great big stereo. Subwoofers can play havoc on magnetic media.

obviously he is a idiot. (3, Interesting)

falcon5768 (629591) | more than 7 years ago | (#20009801)

I dont leave my freaking DS in the car let alone sensitive data like that. But there is plenty of blame to go around on this... in particular the fact that other than to prevent loss in the case of a fire, I cant see one legitimate reason for the tapes even leaving the site.

Hell even in that case, why didnt they have a remote backup to prevent loss through a fire or flood.

Yep plenty of blame to go around.

Re:obviously he is a idiot. (0)

Anonymous Coward | more than 7 years ago | (#20009839)

Plenty of identity fraud to go around as well by the sheer incompetence.

Re:obviously he is a idiot. (1)

NeoTerra (986979) | more than 7 years ago | (#20009941)

"I was the newest person in the door so I inherited the job of taking the data tapes out of the building."

So why, exactly, do you make the newest person take the tapes out? The background check is the newest? I'm thinking they were just a little lazy.

Re:obviously he is a idiot. (1)

secret_squirrel_99 (530958) | more than 7 years ago | (#20009947)

to prevent loss in the case of a fire, I cant see one legitimate reason for the tapes even leaving the site.

Which is precisely why offsite copies are made. All legitimate backup schemes involve the offsite storage of tapes. Most companies contract with a company that specializes in this sort of thing, like Iron Mountain. All data centers are at risk of physical catastrophe in addition to fires. Earthquakes, tornados, floods, hurricanes, etc depending on locale. Shipping the tapes offsite is not the problem. Doing it irresponsibly is.

why didnt they have a remote backup?

Again for any number of reasons. Inadequate bandwidth, insufficient storage, unavailability of another suitable site etc. Remember that backups are often kept (whether for business or regulatory purposes) for many years. Tape is still the most cost effective way to do this.

Re:obviously he is a idiot. (1)

SatanicPuppy (611928) | more than 7 years ago | (#20009995)

Our tape rotation is as follows: All tapes in a tape safe, all Monday tapes go off site for 2 months, all quarterly tapes are stored for 2 years off site, and all yearly tapes are stored offsite for 5 years. The tapes are transported by an employee whose job is to move various papers, tapes, etc, back and forth on a daily basis.

It's easy, sensible, reasonably secure. The offsite location is a satellite office, they have a locking tape safe in which they store the tapes. If the tapes were stolen, most of the data is not encrypted...With the exception of Credit Card Numbers, Bank Account Numbers, and Social Security Numbers.

The system that contains this sensitive data was originally installed in 1982; it's a MPE/iX based accounting system written primarily in Cobol. A fossil, basically, but clearly superior to what Ohio uses. Maybe one day the state of Ohio will move technologically forward to the 80's.

I think the bigger problem (3, Insightful)

afidel (530433) | more than 7 years ago | (#20009805)

Is that 7.3% of the population is working directly for the state government! I wonder what total percentage of the population works directly and indirectly (such as the contractor) for the government at all levels?

Re:I think the bigger problem (5, Funny)

CaffeineAddict2001 (518485) | more than 7 years ago | (#20009927)

If you pay taxes you work for the government =)

Re:I think the bigger problem (2, Insightful)

CheeseTroll (696413) | more than 7 years ago | (#20010033)

If you pay the gov't, isn't gov't working for you?

Re:I think the bigger problem (2, Insightful)

CaffeineAddict2001 (518485) | more than 7 years ago | (#20010307)

It depends if you believe the government is working towards your interests or not. Since paying taxes is not optional, I'm sure most people would agree that they do not.

Re:I think the bigger problem (1)

pete-classic (75983) | more than 7 years ago | (#20010361)

Seems like it ought to, but that clearly isn't the case.

-Peter

Re:I think the bigger problem (2)

sholden (12227) | more than 7 years ago | (#20010037)

http://www.washingtonpost.com/wp-dyn/content/artic le/2006/10/05/AR2006100501782.html [washingtonpost.com] - 14.6 million federal
http://www.heartland.org/Article.cfm?artId=18746 [heartland.org] - 15.8 million state and local

So over 10%. Which probably doesn't include state and local contractors. Or the industrial part of the "military-industrial complex"...

Re:I think the bigger problem (1)

Mornelithe (83633) | more than 7 years ago | (#20010045)

Do you say this based on the assumption that the numbers stolen were those of employees? They were not necessarily.

For instance, I got a letter that my number was stolen, because I (apparently) was on a list of people who hadn't cashed their tax return check by some date or another. I don't work for the Ohio state government, though.

The article says that 770,000 of the numbers were from tax payers, and 64,000 were from state employees.

Re:I think the bigger problem (1)

DrLudicrous (607375) | more than 7 years ago | (#20010057)

No, they are general population. For instance, if you hadn't cashed your state tax refund, your name and SSN was on the backup.

And I think the bigger problem (4, Informative)

DragonWriter (970822) | more than 7 years ago | (#20010135)

Is your reading comprehension:

There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.

Re:And I think the bigger problem (1)

afidel (530433) | more than 7 years ago | (#20010175)

Ah, I had read an earlier article that said the SSN's were from state employees. Guess it pays to RTFA =)

Re:I think the bigger problem (1)

jimbolauski (882977) | more than 7 years ago | (#20010163)

When the idiot Ted Strickland took office one the items that the previous administration was working on was implementing a security policy for sensitive data. Ted decided to not continue this action, and now my Identity will be stolen because I worked for a state school 4 years ago. The best part of it all is the notice they sent me which stated that my SS# was stolen and they offered to give me 1 year of credit protection, because who ever has the disk would need to know how their program works in order to see my SS#. Whew I'm relieved that my SS# is not stored in ASCII no way could anyone be able to read an unsigned long they might have to choose between big-endian and little-endian.

Re:I think the bigger problem (1)

gskouby (61416) | more than 7 years ago | (#20010173)

I don't know if it was in the PDF so i can't say RTFPDF but it wasn't only information about govt employees. Information about people who hadn't cashed state tax refund checks as well as welfare receipients, just to name a few, were also on the tape.

It Figures... (1)

alexj33 (968322) | more than 7 years ago | (#20009809)

Just goes to show you- no matter how good of an employee you are, sometimes the blood that they hand to the angry masses is yours.

Re:It Figures... (1)

plague3106 (71849) | more than 7 years ago | (#20009977)

Um, I wouldn't call anyone forgetting backup tapes in his car a good employee. Besides the risk of being stolen, melting is another possiblity if its hot enough.

That, and he should know better than to not report something stolen to the police... especially if its someone else's property.

Re:It Figures... (5, Insightful)

AutopsyReport (856852) | more than 7 years ago | (#20009993)

Yeah, it's easier for any entity to blame its peons for misjudgment rather than highlight the lack of process that would have prevented this type of situation in the first place. The higher-ups had the noose on this kid before anyone else bothered to realize the intern is not to blame. And now we've got an article on Slashdot about how the "intern" lost the SSN's. But did he really lose them?

To all the comments that are calling the intern an idiot for leaving the tapes in his car, I ask you this: where should he have stored them? In his apartment which can be just as easily broken into? Was he supposed to rent out a protected storage unit at his own expense? The correct answer is that he should have never been responsible for storing them. Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?

Re:It Figures... (0)

Anonymous Coward | more than 7 years ago | (#20010365)

"The correct answer is that he should have never been responsible for storing them. ask you this: where should he have stored them?"

He should not have accepted the tapes to begin with. You do not store company property at your residence. Nor do you carelessly leave it in the back seat of a car. CYA.

Anything else opens the possibility of you becoming a scapegoat.

"Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?"

It's not a question of what is worse, really. It's a matter of fact that there is stupidity on all parts, in all links of the chain. You will always have the situation where "perfect" policy will be subverted by a clueless drone and that an imperfect policy will cause normally competent people to fail. Encrypt the data all you want but you'll still get people who need to work with it un-encrypting it and dumping it to an unsafe format, excel spreadsheet, etc. to "work" with it or "look" at it.

Re:It Figures... (1)

Oligonicella (659917) | more than 7 years ago | (#20010407)

"But did he really lose them?"

Uh, yes. That is emperical fact. They were in his car and he left them unattended.

"... where should he have stored them?"

No. '... why would he have taken them?'

Interns aren't tabula rasa, they're just inexperienced. What background did he have? Any IT schooling? If so, he was aware of what he was doing. All the persons in the chain of command are guilty, even the peons.

prime suspect (4, Funny)

j00r0m4nc3r (959816) | more than 7 years ago | (#20009815)

"Three months into his $10.50-an-hour internship, he left the tapes in his car overnight -- unencrypted -- and they were stolen, and his 1990 Yugo mysteriously replaced with a new Ferrari."

Re:prime suspect (0, Redundant)

FudRucker (866063) | more than 7 years ago | (#20010041)

my thoughts exactly, he was probably paid off (inside job) playing dumb is just an easy way to sandbag & damage control...

Re:prime suspect (1)

Silverhammer (13644) | more than 7 years ago | (#20010329)

The parent said:

"Three months into his $10.50-an-hour internship, he left the tapes in his car overnight -- unencrypted -- and they were stolen, and his 1990 Yugo mysteriously replaced with a new Ferrari."

Who the hell would buy a Ferrari with gas prices the way they are?

prime pay raise. (0)

Anonymous Coward | more than 7 years ago | (#20010351)

You laugh but I would work for $10.50 an hour. Not all of us are as well off to buy gadgets like iPhones and $800 video cards.

Uh-oh. (5, Funny)

Rob T Firefly (844560) | more than 7 years ago | (#20009817)

After all these years, they've finally found a security hole in the Sneakernet. [wikipedia.org]

Didn't anyone think (1)

CaffeineAddict2001 (518485) | more than 7 years ago | (#20009819)

"Maybe my social security number is on these tapes?"
Would they have handled it any differently if it was?

Re:Didn't anyone think (1)

Kamokazi (1080091) | more than 7 years ago | (#20010129)

They sent you a mail notification if your name was on the list. Myself, my mother, and my brother were all on that list (Maybe it was regional?). They are offering a free year of credit monitoring, which is a nice gesture, but a nuisance, because before any of us can be approved for credit, they have to call and confirm it with us. The bad thing about this is, half the places you apply for credit (retail stores and whatnot) have overly simplstic systems that apparently aren't capable of handling exceptions, so the credit just gets denied.

Stolen SSNs (1)

NeoTerra (986979) | more than 7 years ago | (#20009821)

Ok, I know that keeping data off-site is a good thing, but do you hand an intern your backups and send him home with the tapes? I think they REALLY need to redo their backup plan. Especially if it involves THAT MUCH personal data.

Bring these back tomorrow? (1)

vigmeister (1112659) | more than 7 years ago | (#20009833)

What kind of job asks you to take backup tapes w/ sensitive information home with you? Don't they have a cabinet or a drawer inside the building (which is itself presumably safer)?

Cheers!

Re:Bring these back tomorrow? (2, Informative)

coren2000 (788204) | more than 7 years ago | (#20009951)

I assume they remove backups from the site nightly, in case of fire.

Re:Bring these back tomorrow? (1)

tomstdenis (446163) | more than 7 years ago | (#20010021)

Why not just have two data centres and pipe the new records via a SSL or VPN tunnel?

Wouldn't that make a lot more sense and be a hell of a lot safer?

Re:Bring these back tomorrow? (1)

n1ckml007 (683046) | more than 7 years ago | (#20010081)

This is an inexpensive way to do off-site backup, as noted in TFA the data should have been encrypted.

Small mistake in title... (5, Funny)

cbrichar (819941) | more than 7 years ago | (#20009835)

Intern Loses 800,000 Social Security Numbers, 1 Internship

Fixed it for you.

7.3%- Sounds about right (2, Insightful)

DrLudicrous (607375) | more than 7 years ago | (#20009845)

7.3% sounds right. I know of several people affected by this- but rest assured, the great state of Ohio is promising one full year of ID theft protection. Bet that makes those folks sleep better at night. One friend that got a letter informing him of his SSN being stolen was told why- he was one of many Ohio taxpayers who has not yet cashed their state tax refund, and as a result, was kept in a database on the stolen tapes. As the Prentenders said, "Way to go Ohio!"

everyone BUT the intern should be fired (4, Insightful)

uncleFester (29998) | more than 7 years ago | (#20009849)

heh.. getting fired for doing what your boss told you to do.. it's the new trend in corporate america!

i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.

i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..

-r (has NO problem believing the intern's story 100%)

Re:everyone BUT the intern should be fired (1)

nelsonal (549144) | more than 7 years ago | (#20009913)

Yeah for an intern working for the government (effectively) CYA should have been job one (why do you think bureaucracies are so inefficient). That intern must have skipped the day the lesson was taught.

Re:everyone BUT the intern should be fired (2, Funny)

Minwee (522556) | more than 7 years ago | (#20010349)

No, I think that he very definitely was there the day that lesson was taught. It was the morning after he took a set of backup tapes home.

Re:everyone BUT the intern should be fired (1)

plague3106 (71849) | more than 7 years ago | (#20010019)

He was told to take the tapes HOME, not take the tapes and leave them in his car overnight. He certainly deserves to be fired, as does everyone else.

Re:everyone BUT the intern should be fired (1)

Thyamine (531612) | more than 7 years ago | (#20010171)

Actually who knows what he was told. He was told to take them home, but someone could have just as easily told him afterwards that he can just leave them in the car because he just needs to get them off-site. I've seen plenty of engineers leave computers, servers, laptops, etc in cars because you always figure it's not going to happen to you, and most of the time they're right. It's that one time you're wrong and lose 800,000 SSNs that comes back to bite you in the ass.

I want to know why someone felt that something so critical could be taken care of by the intern. I've been to several clients where the president of the company, or the CIO if they're big enough, takes home a tape 'just in case'.

Re:everyone BUT the intern should be fired (1)

gigne (990887) | more than 7 years ago | (#20010179)

So how would this have played out if the intern had done as he was told, his house had been broken into, and the tapes stolen? My guess is his neck would still be in that noose. He looked to be in a lose/lose situation.

Wouldn't you? (0)

Anonymous Coward | more than 7 years ago | (#20009853)

Who better to blame than some dumb (get off my lawn!) kid? We're all young and stupid at some point in our lives. There were times in my youth that I followed procedures by the book or (more usually) per instructions, had something screw up, and I got the blame.

On the bright side, he's an intern, meaning he's supposed to be in a learning situation. This will teach him not to trust his supervisors!

Of course, the blame ought to go to whoever stole the tapes in the first place. The only question that nags at me is why anyone would steal tapes? And I'm haunted by times I was supposed to change backup tapes at another (now closed) facility, and often left tapes in the car thinking nobody would have any use for them. Of course, ours were encrypted...

-mcgrew [kuro5hin.org]

Story from school (0)

Anonymous Coward | more than 7 years ago | (#20009871)

This reminds me of a story a dumb ass teacher told us in a professional presentation class. I guess a guy with his Masters Degree (can not remember the degree) wrote a proposal to the government for Bell Helicopter. He had about 20 people below him and they proofed it to make sure the proposal looked ok. Well the proposal was not ok the budget numbers were off. So the government rejected the proposal and Bell did not get the contract. Bell then told the guy with his Masters he had to fire all 20 people below him because they did not catch that mistake. What I do not get is why do they not fire the guy who wrote it in the first place? It is always pin it on the little guy. I feel sorry for the intern. He probably did not know what he had, and the boss probably told him to do that. I bet the boss gets to keep his job.

Don't worry! (1)

jollyreaper (513215) | more than 7 years ago | (#20009875)

I found them!

Thanks a Lot Genius (1)

nuintari (47926) | more than 7 years ago | (#20009877)

My girlfriend was one of the number's stolen, the state has graciously offered to buy her a year of ID protection. Cause yeah, after a year, this problem goes away. She is going to have to pay for the service for years after this, just for peace of mind. Thanks you so much, we didn't need this stress. You know how much beer I can buy with a year's worth of ID theft prevention? Enough to get me drunk _several_ times buddy, yeah, you are killing my buzz already!

You know what they say, "if an intern triples your workload, consider yourself lucky."

Re:Thanks a Lot Genius (1)

tomstdenis (446163) | more than 7 years ago | (#20009983)

Could always apply for a new SSN, credit card, etc...?

Tom

NOT a scapegoat here: (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20009879)

Get her to add you as a friend.....you get to see milfy bewbs!!!!

http://profile.myspace.com/index.cfm?fuseaction=us er.viewprofile&friendID=108370887 [myspace.com]

It worked for me, Donny Most!@!!!~`~!

mmmmmmmm (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20009915)

I'd fuck dat ass!

Makes sense not to report for a bit (4, Insightful)

Dan East (318230) | more than 7 years ago | (#20009905)

It makes sense not to report the loss for a while. 5 cars were broken into that night, and the thieves certainly grabbed anything that looked half valuable. They most likely had no idea that the tapes contained potentially valuable information, and almost without any doubt had no means to actually read the data.

If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.

Dan East

Thief probably thought he had a VHS tape (1)

lordscotus (728448) | more than 7 years ago | (#20010061)

Thief probably thought he had a VHS tape! ... but it wouldn't play, so it went into the trash.

Re:Makes sense not to report for a bit (1)

n1ckml007 (683046) | more than 7 years ago | (#20010211)

There's a balance here, if you wait too long to disclose, you're not giving the owners of the Social Security #'s a chance to protect themselves. Also, the state may have a law on the books about disclosure time requirements.

Re:Makes sense not to report for a bit (2, Insightful)

hellfire (86129) | more than 7 years ago | (#20010273)

That makes no sense. You report the loss to the police, and then you ask/suggest them to keep it under wraps because of the sensitive nature of the data in the hopes the criminals don't know what they have. You are also doing a disservice to the people's information that was stolen, because what if the criminals DID know what they had and DID have a way to read the data?

That's like not reporting your car stolen and just hoping it will turn up somewhere unscathed because it was a 1989 honda. Sure, it's not worth much to anyone but you, but not letting the police do their job is plain stupid.

It gets better...er, funnier at least (5, Informative)

gskouby (61416) | more than 7 years ago | (#20009949)

The State of Ohio is offering one year of identity theft protection to those affected. To lookup your access code for this one free year of ID theft prevention please visit this page:

http://ohio.gov/idprotect/lookup/lookup.aspx/ [ohio.gov]

On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.

Re:It gets better...er, funnier at least (1, Funny)

Anonymous Coward | more than 7 years ago | (#20010335)

Typing common names and random numbers into that site got me a hit on only the second try! I have (or rather, Mr Smith has) been assigned an activation PIN and given a toll-free phone number to dial(although I doubt it would be free from the part of the world I'm living in).

What's the betting I can bluff through the rest of the security checks and get some free money?

Re:It gets better...er, funnier at least (5, Interesting)

TheLink (130905) | more than 7 years ago | (#20010369)

Heh, I tried smith, 1234 and got:
Your assigned activation PIN (personal identity number) is 7655616

smith, 1235 = nada
smith, 1236 = 8966764

Then, I tried:
%, 1236 = 3738028

smit%, 1234 = 7655616
smit, 1234 = 7655616
smoth, 1234 = nada
sm_th, 1234 = 7655616 :)

Lastly, if your organization's procedure is to pass 22 year old interns the company's "family jewels" to keep overnight and one day they get stolen, it's not the intern's fault at all.

The management is to be blamed for this. That's pretty much a stupid procedure.

The intern isn't being paid enough for such a responsibility, nor should the intern be given such a responsibility in the first place.

NHS has the same protocols (0)

Anonymous Coward | more than 7 years ago | (#20009979)

I set up a clinic for an NHS contractor in the UK last year and the IT supplier of the clinical system actually had an NHS approved protocol documenting the exact same procedure - ie take tape off site every night.
I went through the backup code and this was the command executed every day from their pre-production version of mysql5: /usr/bin/mysqldump -q -uroot -psecretpassword database > /tape/backup.sql

which was nice.

Libertarians rejoice! (1)

GodfatherofSoul (174979) | more than 7 years ago | (#20010011)

I'm sure if Big Evil Government was in charge of these tapes, it would have hired a $250/hr consultant to give them to a $21/hr intern to lose. Think of the savings!

Why take it home (1)

jshriverWVU (810740) | more than 7 years ago | (#20010035)

In all of these articles that pop up the same thing pops in mind. Why are people allowed to take anything of value home with them? Information like this needs to have some kind of cvs/subversion system with it. If you need to check it out, there is a trail showing who has what, and people shouldn't be allowed to take things home, and all sensitive information needs to be encrypted whether internally or not.

Simple Solution To All This (3, Insightful)

deadline (14171) | more than 7 years ago | (#20010065)

There is a simple solution to this kind of thing. You take the SSN, bank account and CC numbers of the person in charge (the General, Congressman, CEO etc.) and you put them in every container, laptop, tape, HDD, USB stick, etc. that has private information on it.

Problem solved.

Negligence (2, Interesting)

HamsterRabies (1124759) | more than 7 years ago | (#20010107)

The 22 yr olds' response is unacceptable given the amount of press and exposure identity theft is given.

The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.

Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact would be his willingness to do something he felt was a risk, such as taking these tapes home.
The third being his lack of documented objection to the process and procedure which is obviously faulted.

Old news (1)

InvisblePinkUnicorn (1126837) | more than 7 years ago | (#20010115)

This is old news for Ohioans. I submitted this story to /. 2 weeks ago...

gpg/pgp encryption (1)

mwilliamson (672411) | more than 7 years ago | (#20010117)

For a good portion of my database backups that may or may not contain confidential information, I tar, compress and encrypt with gpg my backup data files before they get put into a directory archived by by our automated tape library. I don't have to trust who has the tapes, and who is going to carry them off-site during our next hurricane threat. I clocked gpg on a fairly modest Dell 2950 server at about 10 megabytes / second. If you need more, there are hardware-based accelerator cards available.

Re:gpg/pgp encryption (1)

mwilliamson (672411) | more than 7 years ago | (#20010281)

Dear Congress,

Please enact a law requiring that each and every use of our SSN be verified by the assignee (by phone, in-person, etc) of the SSN. Force the credit-granting agencies to verify before granting credit in such a way that the verification could only be used one time, for a limited time frame, for a set amount of credit to extend. Write the law in such a way that the credit issuer and credit agency are responsible for any un-verified credit and not the holder of the SSN.

This will undoubtedly stir opposition amongst the credit-industry lobbyists, but please remember you work for us, not them. We expect adequate protection and this very simple process would provide just that.

Thank you for your time.

Michael S. Williamson

Just SS numbers (1, Redundant)

john_is_war (310751) | more than 7 years ago | (#20010139)

Just imagin how much information would be available if the RealID act was in effect. This is precisely the reason I don't trust the government with my information: they can't keep it safe.

A few points on his statement (2, Insightful)

galego (110613) | more than 7 years ago | (#20010149)

From his statement: As an intern, I do not create policy, I do not interpret policy, and I do not question policy. I do what I am instructed to do.

1) He also obviously did not take time to investigate or read the policy. Granted .. this can be also blamed on supervisor's. But there is no 'patch' for ignorance, correct? Sometimes you only get one shot. 2) If he had any idea what was on the tape, he should not have left it in his car. I don't know if it was in the open or not, but 'intern' or not, he should be aware of the sensitivities of that sort of data. He commented on the policy (which he was not aware of until after the fact ... we've covered that) and said it was "unreasonable to assume that the person would not stop somewhere on their way home". (He is questioning the policy, but we'll cover that next.) Again ... if I knew what was on that tape (granted, I am not an innocent, young 'intern'), I wouldn't take it. If forced to, I wouldn't let it out of my sight til in my home. 3) He *should* question policy if he wants to be valued .. hopefully he learns from that. That's something I look for in a valuable employee. Questioning does not necessarily mean 'defy' (which I think is what he is trying to say). If not questioning the policy, he should be asking "This stuff is encrypted, right?" They are kind of going after the young intern as someone to pin this on, I'm sure. However, I don't think he can/should hide behind his 'intern' label and fire his pop-gun back saying none of it is his fault. He should admit his part in the mistakes and what he would not repeat ... then point to the broken policy / security model. Also hope they have fraud alerts set up on those 770,000 people and are ensuring they have state-provided equifax accounts! ;)

I live in Ohio (1)

jshriverWVU (810740) | more than 7 years ago | (#20010167)

What is this ID protection that keeps coming up in here? I haven't heard anything about it.

Re:I live in Ohio (1)

AetherWolf (908305) | more than 7 years ago | (#20010247)

If your info was on the disks the state would've sent you a letter with an id protection form. Yeah...as if doing it online wasn't bad enough, They want you to put ALL of your critical information on a piece of paper and MAIL it to texas... Sound bad to anybody else? This should've been handled in state. Ohio massivley dropped the ball...twice now. The form also doesnt look very convincing, i actually took it to the police station to see if they knew anything about it. Form is legit tho. Im still not doing it. This sucks.

Re:I live in Ohio (1)

n1ckml007 (683046) | more than 7 years ago | (#20010291)

I assume they're referring to a service that the 3 credit companies offer, it's way to "freeze" your credit as a way to protect yourself if you think you may been a victim of identity theft. Also they may offer some monitoring to go along with this, of course this is normally a fee based service.

Gmail (1, Funny)

Alzheimers (467217) | more than 7 years ago | (#20010177)

800,000 SSN numbers
9 digits in an SSN number
1 comma delimiter per number
-----------
8,000,000 digits

This is still under Gmail's 10mb per email rule. He could have just emailed himself the list as backup.

(yes, I know there's more data than the number. That's why you get 2.8gb+ of space!)

The ones to blame (1)

Waffle Iron (339739) | more than 7 years ago | (#20010207)

are any and all organizations that collect a fixed 9-digit number (that is assigned at birth and revealed to hundreds of parties over a lifetime), and then use it in such a way that just knowing that number would ever be a security risk. The fact that this absurd practice is almost universal is just sheer stupidity on a national scale.

Maybe there should be a law that automobile license plate numbers should be the same as the owner's SSN. That would put a damper on the temptation to use SSNs as some kind of secret passphrase.

SARBOX - GLBA (1)

zerofoo (262795) | more than 7 years ago | (#20010267)

Sarbanes-Oxley defines many internal controls for publicly traded companies. Many of these controls directly apply to IT departments and their disaster recovery/business continuity plans.

The Gramm Leach Bliley Act defines how financial firms handle and use non-public information. It may be time to expand that to ALL organizations that store and use non-public information.

It is time to insist that Government agencies also implement the types of controls mandated by SARBOX and GLBA. If those controls are so important, why doesn't our Government implement the same exact policies?

We need legislation that protects ALL non-public information regardless of who stores it or why it is used.

-ted

And this is why (3, Insightful)

Anarke_Incarnate (733529) | more than 7 years ago | (#20010311)

SSNs should NEVER be used as primary identification numbers. They are legally only allowed to be used for distribution of benefits and collection of "tax" towards paying out those benefits.

They are essentially a pyramid scheme to keep old people happy. You have to put them on everything, because they have become a national ID number. People are to complacent with that.

Re:And this is why (1)

Stu Charlton (1311) | more than 7 years ago | (#20010375)

And most banks & telephone companies insist on having a copy of it. All the automated systems are built around it ("please enter the last 4 digits of your SSN, followed by the # sigh").... If you refuse to give it, you're stuck in operator queue hell.

fireproof safe (1)

freg (859413) | more than 7 years ago | (#20010343)

I'm going to take this opportunity to make my point once more that a fireproof safe (most all good safes are fireproof aren't they?) is quite often better than off-site storage. Especially if it's built into the floor or wall, tho thats not always possible.

1. encrypting isn't necessary with on-site storage, thus lowering backup resources, increasing recovery speed.
2. off-site storage is to protect from natural disasters and theft, both of which a reasonably sturdy lock-box is good for.
3. theft and damage is more likely with off-site backups, even if my data is encrypted I'd rather not hand over my nice big drives. plus the idea of tape drives sitting in the back of a 150 degree car window isn't ideal...
4. on-site means you can get to your backups when u need to, instead of when the intern decides to come in.

feel free to nitpick my points

$125 an hour? (4, Funny)

n1ckml007 (683046) | more than 7 years ago | (#20010355)

I'm obviously in the wrong career path; I could be losing SSN's for $125 an hour! Maybe next year I can move on to some $200 an hour medical record losing gig.

outsourcing at is best (1)

Joe The Dragon (967727) | more than 7 years ago | (#20010381)

The state can like pay the consultants a FULL time wage with benefits are it is like that consultants making $125/H and $200/H don't get them.

I suspect an "Inside Job"... (1)

StressGuy (472374) | more than 7 years ago | (#20010409)

Think about it for a minute...Un-encrypted tapes are given to an in-experienced intern with instructions to take them out of the building. Soon after that, they are stolen.

There's careless, there's stupid....and then there's pre-meditated.

I suspect he might be right about the "scapegoat" claim. There is just too many mistakes here by too many people who should have known better for me to accept as a pure "accident"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>