Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Government Security IT

IT Worker Fired After Massive Georgia Data Breach Speaks Out (ajc.com) 113

McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.

Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.

Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

This discussion has been archived. No new comments can be posted.

IT Worker Fired After Massive Georgia Data Breach Speaks Out

Comments Filter:
  • Users blaming IT (Score:3, Informative)

    by Anonymous Coward on Thursday December 03, 2015 @10:00PM (#51054647)

    News at 11:00

    • by Anonymous Coward

      I'll be eagerly watching. With a headline as tantilizing as that, I wanna hear what the massive Georgia data breach said that caused the IT worker to get fired.

  • to take the fall. it's not the tech, that's India's bailiwick.
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Thursday December 03, 2015 @10:31PM (#51054755)
    Comment removed based on user account deletion
    • by TWX ( 665546 )

      instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.

      More to the point, depending on how the public disclosure was handled and any slander on the part of government officials, he might be in a position to sue for retirement-related benefits. If he was close to retirement age anyway he might be able to leverage a lawsuit payment directly into his retirement-eligible wages which could take what might be a 60%-of-salary pension and get it closer to a 100% pension.

      • by Z00L00K ( 682162 )

        Sometimes that's why companies pays people for early retirement. There's nothing to gain from firing someone as a scapegoat officially, it's better to keep stuff out of the news.

        At least officially the person is retired. And the company may still have a hook on that person in case they need something.

      • "instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

        Do IT people actually get to do this? And file such a suit without running into 'You'll never get work on this planet again'? Blaring his account to the media might have been the only way to redress this.

        • Do IT people actually get to do this? And file such a suit without running into 'You'll never get work on this planet again'? Blaring his account to the media might have been the only way to redress this.

          If I was an employer, an employee airing complaints to the media about his former job would scare me more then knowing that he had filed an unlawful termination lawsuit.

          • by BVis ( 267028 )

            This guy is radioactive anyway. He was a scapegoat for people above him in the hierarchy fucking up. This is what people in power that fuck up do - instead of admitting they don't know everything and are not perfect, they pick a drone that they can spin a narrative around (out of whole cloth, basically) and sell it to the angry mob who doesn't understand the issues involved. Yes, it basically ends someone's career, but the important thing is that it isn't their career like it should be.

            So, since his care

            • And I take issue with the fact that a terminated employee should be punished further for telling the truth about a situation. Any time someone is punished for telling the truth, we all lose.

              I don't disagree. I was commenting on the post that said that career wise, it is better for people to go to the public media to broadcast the situation versus a private lawsuit.

        • Experience says that whistle-blowing is the best and fastest way to get blackballed. I'm pretty sure "You'll never work on this planet again" is already the case.

    • by fred911 ( 83970 )

      "instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

        Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
      him with or without cause. Without knowing if there was an employment contract it's just speculation.

      • Re:saner summary. (Score:5, Interesting)

        by s.petry ( 762400 ) on Thursday December 03, 2015 @11:13PM (#51054897)
        "At will" does not mean what you are implying. Wrongful terminations are quite possible, though obviously difficult to prove without extreme circumstances. This guy has extreme circumstances, and a politician on record saying they fired the responsible employee. Libel and Slander are also possible given this situation, so as a hunch the State of GA will be handing this guy a big pile of hush money^W^W^W^Wcheck for damages.
        • If this guy was responsible for communicating with the outsource, and his order resulted in data contamination, then he is pretty much the only employee of the state available for personnel action.

          I suppose they might cancel the contract with PCC, but that would be bad for the economy, disrupt state business for however long it takes to authorize a new contract, and likely has some breech of contract or early termination costs. Also, probably an admission of error at a much higher level

          • by Anonymous Coward

            " ... the only employee of the state available for personnel action."

            Brian Kemp stated clearly he takes all responsibility. He should therefore fire himself.

      • by Jack9 ( 11421 )

        At-will does not protect an organization from wrongful termination or libel or slander. He can probably end up in a mediation for damages.

        • by BVis ( 267028 )

          Unless you're a member of a "protected group", and/or you can demonstrate explicitly illegal behavior (like wage violations), you will not win a wrongful termination lawsuit. Being made a scapegoat is not illegal behavior on the employer's part. In the eyes of the law, there is no injury to the former employee here - you can be fired for any time for any reason, or no reason at all. That is what "at-will" employment means. The burden is on the former employee to demonstrate the true reason why they were

      • Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
        him with or without cause. Without knowing if there was an employment contract it's just speculation.

        At least three mistakes were made here. Thus far, only one mistake is being addressed, and that's the cover-up made by the employee.

        The vendor needs to be taken to task. The vendor has security access to the data. Supposedly, the staff of the vendor should have been trained properly. Also, even if the public agency didn't disclose the breach. The vendor should have publicly disclosed the breach. It obviously didn't either.

        And finally, what's up with Secretary Kemp? Why is he sending out political party affi

        • The vendor needs to be taken to task. The vendor has security access to the data. Supposedly, the staff of the vendor should have been trained properly. Also, even if the public agency didn't disclose the breach. The vendor should have publicly disclosed the breach. It obviously didn't either.

          This

          Like many people on this site, I work in IT. I get requests for access to data all the time. Some are obvious that they should be granted (a new manager is hired and they ask for access to the management section of the file server). Some are obvious they shouldn't be granted (an engineer asks for access to our controlled documents, which by company policy are restricted to only 2 people [uncontrolled versions are available to larger groups]). Some are less obvious. In those cases, I typically push t

    • Re:saner summary. (Score:5, Interesting)

      by clovis ( 4684 ) on Thursday December 03, 2015 @11:35PM (#51054971)

      They were right to fire him, but not for what he did, but what he did not do.
      The data was exposed for 10 days, and he fixed that the instant he discovered the exposure.

      What he did not do was tell his boss about it.

        His boss was put into the position of walking into a meeting with his dick hanging out, and he could have known, but the one guy who did know " thought it was ok"

      Of all the sins an employee can make, it is a thousand times worse if the boss finds out about a screwup in his department from guy at the top, or worse, the newspaper, or worse yet, the lawyers.

      • by Anonymous Coward

        That really depends on the work environment. He may have known that if he brought it to the attention of his boss, he would have been blamed and possibly fired for it even though it wasn't his fault. Or maybe people were leaving private documents on public shares every few weeks and people were sick of reporting it.

        If you found and fixed a seemingly minor security vulnerability that appeared to have gone unexploited, would you start ringing alarm bells or just consider it closed, make a note, and go about

      • Bullshit,

        It's not my job to protect my fucking idiot of a boss.

        It is my job to protect myself from him.
        • If your boss deserves a manager position, he or she should never make you feel like you need to hide an error.

          Too bad that's a rare thing. Too many managers think their job is to be the overseer wielding the whip on the backs of the field workers instead of the person whose biggest role is running interference against the bureaucratic garbage that stop the team from being productive.
      • In the private sector your boss doesn't want to be bothered by all the screwups you fix. Dealing with screwups is part of your job, fix it and put it in your weekly status report.

        Then again, I've never been in a position to reveal butt loads of SSNs either. Yet. bwa haa haaa.
        • I've worked with a few large corporations that had a pretty clear policy on this: if you suspect that sensitive data has been exposed, you must tell your boss or the infosec guys. They can then investigate whether any data was actually stolen, and take mitigating actions before having to read about the leak in the press. This makes sense. Dealing with screw ups is part of your job, but exposure of sensitive data is usually something that goes waaaay over your head or your pay grade. Not informing others abo
          • I've worked with a few large corporations that had a pretty clear policy on this: if you suspect that sensitive data has been exposed, you must tell your boss or the infosec guys.

            The large corporation that employs me has exactly this policy.

      • by Z00L00K ( 682162 )

        Sometimes it's also better for management to not know everything, they may look like retards at first glance but if they were informed about every SNAFU that occurred they wouldn't be able to do their jobs.

        It's also a security matter, if a manager knows everything that is to know then that person is also a security risk.

    • Re:saner summary. (Score:4, Interesting)

      by Anonymous Coward on Thursday December 03, 2015 @11:35PM (#51054973)

      The miscommunication still falls on the person directly managing the situation, even if they weren't qualified to understand the problem.

      You don't need to be a carpenter to run a general contracting company and build homes, but if your build faulty homes and someone gets hurt it still lands on your head. You can try to blame a sub-contractor, but one of the main reasons people hire general contractors is to manage all the multiple elements of a complex build.

      If Cooley did not fully understand what was going on or did no fully communicate his needs, that's his fault, especially as the person effectively in charge of the project. Of course Cooley's boss should still take the brunt of the blame because that's how you root out bad management.

      The people who posted this info must have had access to it, any reason able amount of follow through should have alerted them that a large amount of sensitive data was being posted publicly. I've been in plenty of IT situation where I had to real in security because everyone else was oblivious, even though that was clearly not my job role. IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

      • by clovis ( 4684 )

        IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

        This^
        Thanks, you said it better than I did.

    • Wrongful termination almost never works these days. They can fire you for having the wrong shirt color and there's nothing you can do in most states. Even if there was a chance in Georgia, he'd still need absolute proof that this was the reason for his firing (ie, were the reasons for his termination put into writing). You can make inferences but that won't often work if you've got big lawyers versus small lawyers.

      So really the best bet to get the job back or get compensation is to make it public, becaus

      • Seeing that this is all over the news, and Georgia Secretary of State Brian Kemp has made multiple public statements about the firing, absolute proof in this specific incident shouldn't be too difficult.
      • by eWarz ( 610883 )
        Maybe, however since this was a government job, things are changed up ever so slightly. In most states a whistleblower law applies along with various public records acts. It's very different from working for a private employer. Your actions as a public employer are being held accountable by various laws that have been implemented in an attempt to protect the taxpayers. Someone's head is going to roll for this and I'm sure the IT guy will win out in the end unless he's hiding something.
    • by AK Marc ( 707885 )
      Yes, that's how it always works. The innocent take blame more than the guilty. It's not what you know, it's who you know. Though the nepotism seems to nausiate those who believe in the meritocracy, so slashdot can't even discuss the tendency civilly.
    • One thing that you're missing, at least according to the articles I read, is that when he became aware of the issue, he didn't report it, but simply removed the files. I've worked in government agencies dealing with PII before, and in almost all cases, knowledge of a breach of procedure like this requires reporting even if you don't have evidence that the data was ever accessed by an unauthorized party, with penaties ranging from internal discplinary actions to civil or criminal charges. While this doesn'

    • Actually, if I were him, I would sue for wrongful termination, but no money other than legal fees. Basically, I would want my name cleared of that. It is obvious that the Secretary of State and the gov are trying to cover up their own misdeeds. After all, why were they requesting that data?
  • by schwit1 ( 797399 ) on Thursday December 03, 2015 @10:35PM (#51054775)
    It's always a minion that gets blamed and the punished. The prisoners are tortured at Abu Ghraib, and only the underlings go to jail. Their bosses knew. The bosses always know or should have known.

    Nothing will change until top people like Brian Kemp or the former head of OPM are thrown into jail for years.

    • by Anonymous Coward

      It's always a minion that gets blamed and the punished.

      Six Phases of a Project

      * Enthusiasm
      * Disillusionment
      * Panic
      * Search for guilty
      * Punishment of innocent
      * Praise and honour for non participants

  • It was all 100% the sacrificial lamb's fault.

    This message has been approved by YAHWEH.

  • by Anonymous Coward

    Doesn't matter if it's not the best to be fired, just as long as someone is made accountable! Go Georgia State!

  • by Anonymous Coward

    Why is there a link to the article, that talks about this other link to the actual article. That's just weird.

  • I'm not surprised. (Score:5, Insightful)

    by gargleblast ( 683147 ) on Thursday December 03, 2015 @11:20PM (#51054929)
    It's not every day a data breach speaks out.
    • by cdrudge ( 68377 )

      It's a horrible headline.

      Did the data breach speak out and cause the IT worker to be fired?
      Was the IT worker fired because he spoke out about the data breach?
      Was the IT worker already fired because of the data breach now speaking out?

      The proper headline would read "IT Worker Speaks Out After Being Fired for Massive Georgia Data Breach"

  • I dont usually complain about articles but what the fuck slashdot

    "To read more about what Cooley said in our exclusive interview, look for updates on [stupid other website]"

    I was actually interested in this shit! that article says no fucking thing.

    • by msauve ( 701917 )
      So, you couldn't figure out that ajc.com and myajc.com were both sites run by the same organization (the Atlanta Journal-Constitution)? Your loss, the link went to a more comprehensive article.

      But, someone who thinks repeatedly saying "fuck" somehow makes their argument stronger is unlikely to spend more time reading, anyway.
      • by Anonymous Coward

        First, you're expecting someone to click not only on TFA, but one of four links in the summary, then click on one of three other links within one of those links, and then recognize that, by hovering on the link, that unlike all other websites in the last decade, some text labeled "www.myajc.com" doesn't actually link to the main site of http://www.myajc.com/ but the specific article with more info ...?

        You're the sort of employee that is awesome, and the sort of employer that I dread to work for. Hope you'r

      • by lloid ( 165939 )

        They are the same company, but the actual meat of the article is behind their stupid paywall. They have a shitty model for a news site, which is give you random bits of info, but not the ones you want, then ask for money.

  • by NostalgiaForInfinity ( 4001831 ) on Friday December 04, 2015 @12:29AM (#51055113)

    People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

    • Yes, this! None of this info is private! And so, there was no data breach. Not only is the poor employee being blamed for an action that he didn't do, it wasn't or shouldn't even be problematic.

      Further, if the info was thought so sensitive, why was it evidently stored without encryption? Who didn't encrypt the data? For decades, passwords have been transformed with secure one way hashes, and not even the system admins can view the originals. (May still be crackable, but that's another issue.) User

    • People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

      Yes, but the only real practical way to do this is tie the key to biometric information such that when that private key or the signing authority get's compromised, you can get a new key by a) being alive and b) matching the biometric data. It should work at least until we can start duplicating people. Of course, if you tried to suggest such a thing in earnest, you'd be bombarded left and right by the civil libertarians and the religious wingnuts, government intrusion or mark of the beast , take your pick. P

      • Yes, but the only real practical way to do this is tie the key to biometric information such that when that private key or the signing authority get's compromised, you can get a new key by a) being alive and b) matching the biometric data.

        You don't need online biometric information. A simple off-line photograph and fingerprint are enough. Sworn affidavits may also be used to replace some of those identifiers. That is, if you lose your identification card, you go to an office and re-establish your identity,

  • "The new file, he told them in an email, should include the same layout as the state’s regular statewide voter file. But, he said, it needed an addition of the three new data fields with the sensitive information."

    Should be easy enough to verify this if the email hasn't been deleted or modified. If the request was to put the fields in a new file, onus on the other party. If not, onus on the Cooley.

    • by Jeff Y ( 4362625 )
      And what if the email says literally what is reported there and nothing else: "The new file should include the same layout as the regular voter file but with the addition of the three new data fields." Is it "easy to verify" which of your two cases is the case? No, it's ambiguous. Onus where then?
      • And what if the email says literally what is reported there and nothing else: "The new file should include the same layout as the regular voter file but with the addition of the three new data fields." Is it "easy to verify" which of your two cases is the case? No, it's ambiguous. Onus where then?

        To me that is not ambiguous.

        There is an existing file referenced by the website. If the requester specifies a new file, that does not mean to change the existing file.

        N'est pas?

  • The Sec of State in GA is an elected position and as a result Kemp answers to no-one, not even the Governor. Kemp answers to the voters, only. And only on election day. And in this state the voters are probably going to give a blank stare about all of this mess. Burning CDs is majick wizard stuff.

    So Kemp will be re-elected next round.

  • "Cooley said the story began in late summer when the Secretary of State’s Office received a request from the Georgia Department of Revenue. The state agency, he said, wanted regular voter files plus something not given out to the public: voters’ Social Security numbers, birth dates and driver’s license numbers."

    I can understand voter records including an address and birth date (verifying someone is old enough to vote and in the right precinct, and easier distinguishing between multiple peo

  • They are making him train his H1B replacement.

Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.

Working...