IT Worker Fired After Massive Georgia Data Breach Speaks Out

McGruber writes: On November 17, two Georgia women filed a class action lawsuit alleging that Georgia Secretary of State Brian Kemp had released the Social Security numbers, birthdates, Drivers License numbers and other private information of all registered voters in Georgia. After the lawsuit was filed, Secretary Kemp posted an official notice of the breach on his website as required by Georgia state law.

Secretary Kemp also sent a private letter to Georgia lawmakers describing how the breach happened. In the letter, obtained by The Atlanta Journal-Constitution, Kemp said his office learned of the foul-up on Nov. 13 — four days before any public acknowledgment of the problem. In that private letter to Georgia lawmakers, Kemp also stated that he fired the IT worker who had inadvertently added the personal data including Social Security numbers and birth dates to the public statewide voter file.

Now that fired IT worker, longtime state programmer Gary Cooley, has told the Atlanta Journal Constitution newspaper that he did not actually have the security access necessary to add millions of Social Security numbers and birth dates to the data file that was released to the public. While Cooley does acknowledge a role in the gaffe, he also outlined a more complicated series of missteps and miscommunications both within Kemp's office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

Users blaming IT

[Anonymous Coward]

News at 11:00

Data Breach

[Anonymous Coward]

I'll be eagerly watching. With a headline as tantilizing as that, I wanna hear what the massive Georgia data breach said that caused the IT worker to get fired.

that's why IT gets paid

[turkeydance]

to take the fall. it's not the tech, that's India's bailiwick.

Re:

[Anonymous Coward]

The employers?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[TWX]

instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit. I'd wager Cooley doesnt care about that, and is just glad to get out from an underpaying cube-slave job with low oversight and piss poor accountability and management.

More to the point, depending on how the public disclosure was handled and any slander on the part of government officials, he might be in a position to sue for retirement-related benefits. If he was close to retirement age anyway he might be able to leverage a lawsuit payment directly into his retirement-eligible wages which could take what might be a 60%-of-salary pension and get it closer to a 100% pension.

Re:

[Z00L00K]

Sometimes that's why companies pays people for early retirement. There's nothing to gain from firing someone as a scapegoat officially, it's better to keep stuff out of the news.

At least officially the person is retired. And the company may still have a hook on that person in case they need something.

Re:

[Applehu Akbar]

"instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

Do IT people actually get to do this? And file such a suit without running into 'You'll never get work on this planet again'? Blaring his account to the media might have been the only way to redress this.

Re:

[JackieBrown]

Do IT people actually get to do this? And file such a suit without running into 'You'll never get work on this planet again'? Blaring his account to the media might have been the only way to redress this.

If I was an employer, an employee airing complaints to the media about his former job would scare me more then knowing that he had filed an unlawful termination lawsuit.

Re:

[BVis]

This guy is radioactive anyway. He was a scapegoat for people above him in the hierarchy fucking up. This is what people in power that fuck up do - instead of admitting they don't know everything and are not perfect, they pick a drone that they can spin a narrative around (out of whole cloth, basically) and sell it to the angry mob who doesn't understand the issues involved. Yes, it basically ends someone's career, but the important thing is that it isn't their career like it should be.

So, since his care

Re:

[JackieBrown]

And I take issue with the fact that a terminated employee should be punished further for telling the truth about a situation. Any time someone is punished for telling the truth, we all lose.

I don't disagree. I was commenting on the post that said that career wise, it is better for people to go to the public media to broadcast the situation versus a private lawsuit.

Re:

[idontgno]

Experience says that whistle-blowing is the best and fastest way to get blackballed. I'm pretty sure "You'll never work on this planet again" is already the case.

His career is over

[Anonymous Coward]

Unless he's got some dream friends in high places, his career is over. When he gives for anther job - right or wrong - potential employer will see he went public.

It's worse if he tries to consult on his own.

Re:His career is over

[suutar]

His career was over when he got tagged for causing a huge data breach. At least this way he's unemployable for something he actually did.

Re:

[fred911]

"instead of "coming clean" to a newspaper, he should have filed a wrongful termination suit."

  Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
him with or without cause. Without knowing if there was an employment contract it's just speculation.

Re:saner summary.

[s.petry]

"At will" does not mean what you are implying. Wrongful terminations are quite possible, though obviously difficult to prove without extreme circumstances. This guy has extreme circumstances, and a politician on record saying they fired the responsible employee. Libel and Slander are also possible given this situation, so as a hunch the State of GA will be handing this guy a big pile of hush money^W^W^W^Wcheck for damages.

Re:

[tburkhol]

If this guy was responsible for communicating with the outsource, and his order resulted in data contamination, then he is pretty much the only employee of the state available for personnel action.

I suppose they might cancel the contract with PCC, but that would be bad for the economy, disrupt state business for however long it takes to authorize a new contract, and likely has some breech of contract or early termination costs. Also, probably an admission of error at a much higher level

Re:

[Anonymous Coward]

" ... the only employee of the state available for personnel action."

Brian Kemp stated clearly he takes all responsibility. He should therefore fire himself.

Re:

[Jack9]

At-will does not protect an organization from wrongful termination or libel or slander. He can probably end up in a mediation for damages.

Re:

[BVis]

Unless you're a member of a "protected group", and/or you can demonstrate explicitly illegal behavior (like wage violations), you will not win a wrongful termination lawsuit. Being made a scapegoat is not illegal behavior on the employer's part. In the eyes of the law, there is no injury to the former employee here - you can be fired for any time for any reason, or no reason at all. That is what "at-will" employment means. The burden is on the former employee to demonstrate the true reason why they were

Re:

[BVis]

What has the employer done wrong here? They fired him. They don't legally need a reason or a justification. Anyone can be fired at any time with no notice, justification, or recourse. Making a scapegoat out of someone is not illegal.

There is no winning if he files a wrongful termination lawsuit. He will lose the suit, and further destroy his employability. Being blamed for a data breach is one thing (he's probably unemployable just because he got blamed for it, right or wrong) but if an employer sees

Re:

[stephanruby]

Except for the fact that most employees in the state of Georgia are "at will". Which generally means they can fire
him with or without cause. Without knowing if there was an employment contract it's just speculation.

At least three mistakes were made here. Thus far, only one mistake is being addressed, and that's the cover-up made by the employee.

The vendor needs to be taken to task. The vendor has security access to the data. Supposedly, the staff of the vendor should have been trained properly. Also, even if the public agency didn't disclose the breach. The vendor should have publicly disclosed the breach. It obviously didn't either.

And finally, what's up with Secretary Kemp? Why is he sending out political party affi

Re:

[JourneymanMereel]

The vendor needs to be taken to task. The vendor has security access to the data. Supposedly, the staff of the vendor should have been trained properly. Also, even if the public agency didn't disclose the breach. The vendor should have publicly disclosed the breach. It obviously didn't either.

This

Like many people on this site, I work in IT. I get requests for access to data all the time. Some are obvious that they should be granted (a new manager is hired and they ask for access to the management section of the file server). Some are obvious they shouldn't be granted (an engineer asks for access to our controlled documents, which by company policy are restricted to only 2 people [uncontrolled versions are available to larger groups]). Some are less obvious. In those cases, I typically push t

Re:saner summary.

[clovis]

They were right to fire him, but not for what he did, but what he did not do.
The data was exposed for 10 days, and he fixed that the instant he discovered the exposure.

What he did not do was tell his boss about it.

  His boss was put into the position of walking into a meeting with his dick hanging out, and he could have known, but the one guy who did know " thought it was ok"

Of all the sins an employee can make, it is a thousand times worse if the boss finds out about a screwup in his department from guy at the top, or worse, the newspaper, or worse yet, the lawyers.

Re:

[Anonymous Coward]

That really depends on the work environment. He may have known that if he brought it to the attention of his boss, he would have been blamed and possibly fired for it even though it wasn't his fault. Or maybe people were leaving private documents on public shares every few weeks and people were sick of reporting it.

If you found and fixed a seemingly minor security vulnerability that appeared to have gone unexploited, would you start ringing alarm bells or just consider it closed, make a note, and go about

Re:

[OneSmartFellow]

Bullshit,

It's not my job to protect my fucking idiot of a boss.

It is my job to protect myself from him.

Re:

[DuckDodgers]

If your boss deserves a manager position, he or she should never make you feel like you need to hide an error.

Too bad that's a rare thing. Too many managers think their job is to be the overseer wielding the whip on the backs of the field workers instead of the person whose biggest role is running interference against the bureaucratic garbage that stop the team from being productive.

Re:

[Snotnose]

In the private sector your boss doesn't want to be bothered by all the screwups you fix. Dealing with screwups is part of your job, fix it and put it in your weekly status report.

Then again, I've never been in a position to reveal butt loads of SSNs either. Yet. bwa haa haaa.

Re:

[JaredOfEuropa]

I've worked with a few large corporations that had a pretty clear policy on this: if you suspect that sensitive data has been exposed, you must tell your boss or the infosec guys. They can then investigate whether any data was actually stolen, and take mitigating actions before having to read about the leak in the press. This makes sense. Dealing with screw ups is part of your job, but exposure of sensitive data is usually something that goes waaaay over your head or your pay grade. Not informing others abo

Re:

[Zontar The Mindless]

I've worked with a few large corporations that had a pretty clear policy on this: if you suspect that sensitive data has been exposed, you must tell your boss or the infosec guys.

The large corporation that employs me has exactly this policy.

Re:

[Z00L00K]

Sometimes it's also better for management to not know everything, they may look like retards at first glance but if they were informed about every SNAFU that occurred they wouldn't be able to do their jobs.

It's also a security matter, if a manager knows everything that is to know then that person is also a security risk.

Re:saner summary.

[Anonymous Coward]

The miscommunication still falls on the person directly managing the situation, even if they weren't qualified to understand the problem.

You don't need to be a carpenter to run a general contracting company and build homes, but if your build faulty homes and someone gets hurt it still lands on your head. You can try to blame a sub-contractor, but one of the main reasons people hire general contractors is to manage all the multiple elements of a complex build.

If Cooley did not fully understand what was going on or did no fully communicate his needs, that's his fault, especially as the person effectively in charge of the project. Of course Cooley's boss should still take the brunt of the blame because that's how you root out bad management.

The people who posted this info must have had access to it, any reason able amount of follow through should have alerted them that a large amount of sensitive data was being posted publicly. I've been in plenty of IT situation where I had to real in security because everyone else was oblivious, even though that was clearly not my job role. IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

Re:

[clovis]

IT work isn't unskilled labor, your supposed to know better than to do stuff like this, even if your just working with a company to host some data online. I suspect they were all getting paid well enough that there is no excuse for being so sloppy and oblivious.

This^
Thanks, you said it better than I did.

Re: saner summary.

[orlanz]

People take the path of least resistance. Work the tickets that come in properly, delay till SLA on the whiners, and there is no SLA on emails. You take your time to respond that this email request should be submitted via a ticket.

I used to run a service desk and have had to deal with this many times. Executing on the emails is basically your actions speaking louder than your words.

Re:

[Darinbob]

Wrongful termination almost never works these days. They can fire you for having the wrong shirt color and there's nothing you can do in most states. Even if there was a chance in Georgia, he'd still need absolute proof that this was the reason for his firing (ie, were the reasons for his termination put into writing). You can make inferences but that won't often work if you've got big lawyers versus small lawyers.

So really the best bet to get the job back or get compensation is to make it public, becaus

Re:

[l0n3s0m3phr34k]

Seeing that this is all over the news, and Georgia Secretary of State Brian Kemp has made multiple public statements about the firing, absolute proof in this specific incident shouldn't be too difficult.

Re:

[eWarz]

Maybe, however since this was a government job, things are changed up ever so slightly. In most states a whistleblower law applies along with various public records acts. It's very different from working for a private employer. Your actions as a public employer are being held accountable by various laws that have been implemented in an attempt to protect the taxpayers. Someone's head is going to roll for this and I'm sure the IT guy will win out in the end unless he's hiding something.

Re:

[AK Marc]

Yes, that's how it always works. The innocent take blame more than the guilty. It's not what you know, it's who you know. Though the nepotism seems to nausiate those who believe in the meritocracy, so slashdot can't even discuss the tendency civilly.

Re:

[jgdnavy]

One thing that you're missing, at least according to the articles I read, is that when he became aware of the issue, he didn't report it, but simply removed the files. I've worked in government agencies dealing with PII before, and in almost all cases, knowledge of a breach of procedure like this requires reporting even if you don't have evidence that the data was ever accessed by an unauthorized party, with penaties ranging from internal discplinary actions to civil or criminal charges. While this doesn'

Re:

[WindBourne]

Actually, if I were him, I would sue for wrongful termination, but no money other than legal fees. Basically, I would want my name cleared of that. It is obvious that the Secretary of State and the gov are trying to cover up their own misdeeds. After all, why were they requesting that data?

Why is this not a surprise?

[schwit1]

It's always a minion that gets blamed and the punished. The prisoners are tortured at Abu Ghraib, and only the underlings go to jail. Their bosses knew. The bosses always know or should have known.

Nothing will change until top people like Brian Kemp or the former head of OPM are thrown into jail for years.

Re:

[Anonymous Coward]

Donald Trump is still in the running because:

1) Republicans are *that* angry that the world didn't go ka-blooey...

Maybe the world didn't go ka-blooey. But a while back I came across some blog post on the internet about how hard it would be to choose if you were granted a single wish. And I thought, "That's not hard at all. I'd wish to have never been born."

The mainstream Democrats and Republicans are a good choice if the last couple decades have been good to you - if you're happy with the direction that the USA is headed and want more of the the same.

Myself, I'm tired of being a slow boiled frog - seeing politicians li

Re:

[Zontar The Mindless]

No, just no. Fatalism and feeling guilty over your own existence is absolutely no way to live, and despite what you might be telling yourself, you don't really want to die.

Please get into counselling with a suitable professional ASAP.

Begin the process by calling a mental health or suicide prevention hotline *right now*.

Re:

[AK Marc]

Everyone you name is in the US. It's quite easy to leave the US. Pick a better place. There are many.

It shouldn't be between Trump and Clinton. The polls show Bernie leading Hillary, and that Bernie against trump would end in a Bernie victory. So Trump or Clinton is a false dichotomy. It could be Bernie. And if you don't like the choices, move. After a reelection of Bush, I figured there was nothing that could save the US, so I moved o a better place. Lower taxes, free health care, and better civi

Re:

[AK Marc]

But it sure as hell wasn't easy - not if you're moving your whole family on a limited budget.

It wasn't hard to move a family of 4 half way around the world. The single largest expense in the exercise was shipping so much stuff with us. Next time, we'll leave more of our things behind. That'll cut the moving cost significantly. Showed up with about 3 months salary savings, no job, no place to live (a hotel reservation for a week). Found a longer hotel for a larger room at a cheaper price, bought a cheap car, and scouted out the new city, found a job, rented a house, and all that. Rented for a

Re:

[operagost]

Denmark is great if you don't mind xenophobia and state religion. Oh, and being prosecuted for "hate speech" if you criticize anyone's religion.

Re:

[AK Marc]

Yes, when 99 things are better and one is worse, the rabid nationalists will ignore the 99 and assert the 1 is the most important. For someone that can rate everything on a reasonable scale, Denmark is better than the USA.

Re:

[Hognoxious]

Right. Because Americans are so fucking awesome that all you have to is turn up anywhere else and they grant you instant citizenship.

Re:

[sjames]

Trump is just more of the same only louder. I don't have much hope that the guy who was proud to be known for yelling "you're fired" is going to have any empathy for the unemployed. No, I don't suggest Hillary as an alternative. Your best shot is to vote in the primary hoping to get not Trump or not Hillary.

Re:

[Anonymous Coward]

It's always a minion that gets blamed and the punished.

Six Phases of a Project

* Enthusiasm
* Disillusionment
* Panic
* Search for guilty
* Punishment of innocent
* Praise and honour for non participants

Blame game

[penguinoid]

It was all 100% the sacrificial lamb's fault.

This message has been approved by YAHWEH.

FINALLY SOMEONE IS FIRED!

[Anonymous Coward]

Doesn't matter if it's not the best to be fired, just as long as someone is made accountable! Go Georgia State!

The most confusing part:

[Anonymous Coward]

Why is there a link to the article, that talks about this other link to the actual article. That's just weird.

I'm not surprised.

[gargleblast]

It's not every day a data breach speaks out.

Re:

[cdrudge]

It's a horrible headline.

Did the data breach speak out and cause the IT worker to be fired?
Was the IT worker fired because he spoke out about the data breach?
Was the IT worker already fired because of the data breach now speaking out?

The proper headline would read "IT Worker Speaks Out After Being Fired for Massive Georgia Data Breach"

shit article

[n3r0.m4dski11z]

I dont usually complain about articles but what the fuck slashdot

"To read more about what Cooley said in our exclusive interview, look for updates on [stupid other website]"

I was actually interested in this shit! that article says no fucking thing.

Re:

[msauve]

So, you couldn't figure out that ajc.com and myajc.com were both sites run by the same organization (the Atlanta Journal-Constitution)? Your loss, the link went to a more comprehensive article.

But, someone who thinks repeatedly saying "fuck" somehow makes their argument stronger is unlikely to spend more time reading, anyway.

Re:

[Anonymous Coward]

First, you're expecting someone to click not only on TFA, but one of four links in the summary, then click on one of three other links within one of those links, and then recognize that, by hovering on the link, that unlike all other websites in the last decade, some text labeled "www.myajc.com" doesn't actually link to the main site of http://www.myajc.com/ but the specific article with more info ...?

You're the sort of employee that is awesome, and the sort of employer that I dread to work for. Hope you'r

Re:

[lloid]

They are the same company, but the actual meat of the article is behind their stupid paywall. They have a shitty model for a news site, which is give you random bits of info, but not the ones you want, then ask for money.

Re:Doesn't matter

[Fallen Kell]

Obviously didn't read the article or the article that the article talks about. If you had read it, you would know that the person fired had requested from the people who have access to the real data for a second file to be created which included the social security numbers, etc., to be combined with the data in the voter registry (after himself being requested to provide the data in that format to another group internally at the State, and after having received confirmation and approval from the lawyers and boss to provide the data in that format to that group).

The F-up was that the people he requested for the separate new format data misunderstood the request and instead of creating a new file with the new format, simply updated the existing voter registration data and left it in the normal location that voter registration data always existed and didn't notify the person who was fired that they had made the changes like that. It wasn't until the person who was fired asked the contractor for an update on the new configuration that he was informed that it was done the day of the request and that they simply updated the voter registration file with the data.

The only mistake that the person fired made was that he then simply yanked and sanitized the voter registration file to remove those fields (since it shouldn't be in the voter registration file) and ran a search to try and see if anyone had accessed and copied the file (which didn't turn up anything). So he figured everything was caught before any damage could have been done. However, what he didn't know was that someone else had accessed and copied the file, but copied it to a place they were not suppose to copy it to (which is why the search turned up that no one had accessed the file), and then didn't review the file (again, as per policy for all files being sent out) for anything that shouldn't be sent out, and made CDs/DVDs of the copied file and sent them out to the 12 organizations/groups/individuals that always receive the monthly voter registration data.

Re:

[Jeff Y]

No, that's not the *only* mistake he made. He also did not follow up on what happened with an *uber-sensitive* data request for *10 days*. (Nor check up on the existing public file for which he was responsible for the same period.)

Re: Doesn't matter

[BarbaraHudson]

Except that the summary made it clear that he was not the person who posted the data, nor the one who made copies and distributed them without checking the contents.

Re:

[Jeff Y]

Sorry, but that's a non-exculpatory "see no evil" rationale. Hint: the word you are looking for is "responsible" rather than "posted" or "distributed".

Re:

[BarbaraHudson]

He's still not the responsible party. The outside contractor screwed up, and as soon as it came to his attention, he acted.

birth dates and social security numbers

[NostalgiaForInfinity]

People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

Re:

[bzipitidoo]

Yes, this! None of this info is private! And so, there was no data breach. Not only is the poor employee being blamed for an action that he didn't do, it wasn't or shouldn't even be problematic.

Further, if the info was thought so sensitive, why was it evidently stored without encryption? Who didn't encrypt the data? For decades, passwords have been transformed with secure one way hashes, and not even the system admins can view the originals. (May still be crackable, but that's another issue.) User

Re:

[crackspackle]

People should stop using birth dates and social security numbers for security or identification purposes. We should use smart cards and public keys for identification, both for government services and financial transactions.

Yes, but the only real practical way to do this is tie the key to biometric information such that when that private key or the signing authority get's compromised, you can get a new key by a) being alive and b) matching the biometric data. It should work at least until we can start duplicating people. Of course, if you tried to suggest such a thing in earnest, you'd be bombarded left and right by the civil libertarians and the religious wingnuts, government intrusion or mark of the beast , take your pick. P

Re:

[NostalgiaForInfinity]

Yes, but the only real practical way to do this is tie the key to biometric information such that when that private key or the signing authority get's compromised, you can get a new key by a) being alive and b) matching the biometric data.

You don't need online biometric information. A simple off-line photograph and fingerprint are enough. Sworn affidavits may also be used to replace some of those identifiers. That is, if you lose your identification card, you go to an office and re-establish your identity,

hmm

[sociocapitalist]

"The new file, he told them in an email, should include the same layout as the state’s regular statewide voter file. But, he said, it needed an addition of the three new data fields with the sensitive information."

Should be easy enough to verify this if the email hasn't been deleted or modified. If the request was to put the fields in a new file, onus on the other party. If not, onus on the Cooley.

Re:

[Jeff Y]

And what if the email says literally what is reported there and nothing else: "The new file should include the same layout as the regular voter file but with the addition of the three new data fields." Is it "easy to verify" which of your two cases is the case? No, it's ambiguous. Onus where then?

Re:

[sociocapitalist]

And what if the email says literally what is reported there and nothing else: "The new file should include the same layout as the regular voter file but with the addition of the three new data fields." Is it "easy to verify" which of your two cases is the case? No, it's ambiguous. Onus where then?

To me that is not ambiguous.

There is an existing file referenced by the website. If the requester specifies a new file, that does not mean to change the existing file.

N'est pas?

Scott-free for Kemp

[RubberDogBone]

The Sec of State in GA is an elected position and as a result Kemp answers to no-one, not even the Governor. Kemp answers to the voters, only. And only on election day. And in this state the voters are probably going to give a blank stare about all of this mess. Burning CDs is majick wizard stuff.

So Kemp will be re-elected next round.

Why are voter records and SSN numbers ever merged?

[bhmit1]

"Cooley said the story began in late summer when the Secretary of State’s Office received a request from the Georgia Department of Revenue. The state agency, he said, wanted regular voter files plus something not given out to the public: voters’ Social Security numbers, birth dates and driver’s license numbers."

I can understand voter records including an address and birth date (verifying someone is old enough to vote and in the right precinct, and easier distinguishing between multiple peo

The really sad part

[jmcwork]

They are making him train his H1B replacement.