800,000 stolen social security numbers: a 22-year-old scapegoat?

July 26, 2007

800,000 stolen social security numbers - a 22-year-old scapegoatA 22-year-old intern said today he’s the “scapegoat” for the loss of over 800,000 social security numbers.

A backup tape was stolen from his car last month containing at least 770,000 social security numbers (with the corresponding names) for Ohio taxpayers. It also contained the social security numbers for another 64,000 state employees. Today the intern issued a statement with his side of the story.

Four months ago 22-year-old Jared Ilovar — who’s studying computers at DeVry University — started an internship with the state of Ohio. He said he’d sometimes take home a data tape to ensure there was an off-site version of the data. “The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, ‘bring these back tomorrow.’”

So on the night of the theft, over 800,000 social security numbers were on a tape in his car, parked outside his apartment. “It is my understanding that five or more cars were broken into the same night as my car was broken into…” he announced today, “and now I am the scapegoat for the State of Ohio.”

It became the internship from hell — though from a security perspective, it was an undeniably sloppy procedure. A separate report Friday from Ohio’s Inspector General noted that the intern “remembered to bring them into his apartment approximately 85% of the time,” and that on those occassions, he’d put the data tapes “on top of his TV, so that he would remember to bring them back on the following day.” After investigating more than a month, the Inspector General reported this had been the policy for over five years, and that for the last two years, it had been executed by interns. (One intern even described the continuing tradition proudly as “the passing of the torch.”) Amazingly, the same policy had also been in effect at Ohio’s Office of Management and Budget for the last eight years.

Their report also faults the chain of command, which was muddled by contractors. The Inspector General identified Jared Ilovar as “a 22-year-old, $10.50-an-hour employee” hired just three months earlier, who received his assignment from…another intern. The intern reported to a $125-an-hour consultant, who reported to another $200-an-hour consultant…

But the intern also says that when he reported the theft of the backup tapes, he was instructed not to notify the police. “Because of my following their instruction…I was looked upon as if I was the criminal. I was put through a grueling three hour polygraph test, numerous interviews with various investigators, and countless phone calls…” The Inspector General’s reports that had a timely report been filed, the Highway Patrol could have been alerted — and nearby trash bins could’ve been searched in case the tapes had been discarded nearby.

And the internship from hell ended badly, too. In his statement today, he remembered that Friday, “I was called in to an office and handed a letter of resignation and told, ‘sign this letter of resignation or you are fired.’” He asked for more than 10 minutes, so he could talk to his parents — and was refused. He later resigned — then spoke to his parents again, and rescinded his resignation. And then was fired.

The Inspector General’s report shares a crucial recommendation from Gartner Inc and other security analysts: encrypt data before storing it off-site, and secure it like cash. (If not using armored transport, then electronically transmitting the data to off-site storage using a secure connection.) Though the State of Ohio is a $52-billion-a-year enterprise, they had instead authorized “a succession of interns” to take the unencrypted tapes home for the previous two years, with a friendly reminder to store them “in a safe place.”

Using census data from 2000, it seems the stolen data includes social security numbers for 7.3% of the people in the entire state of Ohio. And the city police force has since offered a whopping $500 reward for the return of the data.

Looking at the incident, a technology worker in another state identified the real culprits as the policy makers for the state of Ohio.

“That is an unbelievable back-up plan!

“‘Make Skippy do it!’”

Be Sociable, Share!

30 Responses to “800,000 stolen social security numbers: a 22-year-old scapegoat?”

  1. Matt:

    Unfortunate… :(

  2. yns88:

    Boy am I glad I don’t live in Ohio right now!

  3. Steve:

    Interns, apprentices, temps, part timers… The scapegoats for ANY large office base that involves tech. Internal network crash? FNG did it. Security door left unlocked? FNG did it. Building set fire? FNG did it.

    I would like to see the micromanager and then their boss get some lumps from this travesty of data security management.

  4. JGM:

    Sorry, I don’t see the “Scapegoat” thing, but I do believe that he shouldn’t be the only one fired and then prosecuted into oblivion. This kid was a fool to leave something as important as this in his car overnight. Even though the whole concept of taking the backups home overnight as an “off site” backup is foolish, his lack of foresight in protecting sensitive data that belongs to his employer is just as negligent as the poorly conceived backup plan itself.

  5. Thierry:

    I truly feel sorry for that guy.

    22 years old, and in internship, it’s not at that moment of your life that you will be arguing with an established consultant about how his job should be done, and now he’ll be flaged as “the man who had lost 800,000 social security numbers”.

    I seriously hope that he will fight back, he is far from being the only culprit here.

  6. Unklegwar:

    Can I just point out that he IS an idiot? Putting magnetic tapes on top of the TV? They were most likely worthless when brought back.

  7. Jason:

    IMHO the consultants should be the ones fired. I’m a data protection technical consultant for a large financial institute and we secure out off-site tapes with Iron Mountain and all are encrypted using a data encryption appliance. The consultants should have known that the procedure of having interns take tapes home with sensitive data on them was not the proper thing to do and should have changed the practice by instituting tape encryption and using a tape archive service like Iron Mountain to securly ship and store them off-site.

    The intern should file wrongful termination charges against the state as he was clearly made to be the scape goat. A 22-year old intern is not going to necessarily question the practice, especially if it is blessed by the management. He’s not to blame here, but management is.

  8. M. Moses:

    He is not the idiot as a TV will not erase such a tape. He is also not the idiot as nowhere in the story can one infer that they said, “Oh, btw, these tapes will be erased if you…”

    I’ve worked on a project specifically designed to deal with issues like these that if the tapes are stolen, not biggie, they’re not decryptable.

    The level of incompetence is simply amazing on the institutional level, not the intern level.

  9. BuckJohnson:

    Who gives an intern backup tapes – regardless of what is on them? Careless move by the IT department. Obviously a lax security atmosphere.

  10. Peter:

    Well, he could have been a bit more careful, but I agree he’s not the one who should take the blame. It looks like he wasn’t the most conscientious intern they’ve ever had, though.

    What the heck were they thinking? An intern reporting to a consultant who reported to another consultant? Sensitive data being handled by consultants with no state employees in the loop at all?

    And why is an *intern* taking the data home?
    None of these high priced consultants ever thought that wasn’t such a good idea? I’m thinking the state of Ohio could use a new CIO and perhaps a different consultant…one who gives a bit more value for money.

  11. AH:

    He’s an intern – taking the tapes home like he was told. Who leaves that up to an intern? Who ever did that should be fired – not the intern. The idiot who setup the backup routine and didn’t encyrpt them should be prosecuted – not the intern. Internships are for learning – and generally you don’t entrust them to sensitive tasks – espcially when they have only been there a few months.

    The whole idea of taking tapes home – even if they are in your house or apartment full of opporutnites for something to happen to them. Someone can just as easily break into your house as your car. Even if you are in the house, how much danger would you put yourself in to defend them from being stolen

  12. William:

    The $125/hr consultant that intern answered to and the $200/hr consultand should be replaced immediately. They are idiots. The upper management who sanctioned this “tape backup” security scheme should be fired. Firing the intern as a scapegoat to cover their own asses makes them look worse if they don’t fire every person up the chain of command.

  13. Wing:

    To blame the intern, in this situation, is pointless. He was doing what he was told to do. If he had experienced security and data retention experience, do you think he would be working at a $10.50/hour internship!?

    He was told to move the tapes offsite and bring it back tomorrow. His boss’s boss was another consultant. Who was he going to complain to? What was he going to complain about?

    Who should the finger be placed upon?

    1) The $125/hour consultant who told the intern to move the tapes offsite without proper procedures to ensure the safety of the tape and the privacy of the data. He should have known better!

    2) The $200+/hour consultant who told the $125/hour consultant to manage the data and not checking. He should have known better.

    3) The entire chain of management that has seen this process through for the last half a decade or more, but didn’t think to audit and make sure things were done right, given what has happened with other “data loss” issues in the last couple of years. They should all be let go, for putting citizen’s private data at risk and making them now the possible victims of identity theft.

    4) $500 reward? WTF?

    What does this indicate? It indicates both extreme incompetence and ignorance, regarding proper procedures regarding data retention and data transport. This, is at best. At worst, it indicates potential willful negligence to lower costs. Proper data retention costs money. Costs money to invest in the HW to encrypt, to ship properly, and to store properly.

    Firing the intern is pointless. That’s just the whole chain of people above him passing the buck.

    This kind of “firing the new guy” to save everyone’s own skin is gutless and just the kind of mentality that needs to be removed from an organization, if there is any hope of protecting and safeguarding private information.

    God help the people of Ohio.

  14. JD:

    You NEVER give sensitive or important stuff to interns. They’re still learning, thus the whole “intern” thing. Did the intern himself even know what he was carrying? Most likely, no.

    Nothing tells us it wasn’t one of the consultants that knew which car was his and saw their chance…

    Sure, the guy could’ve been more careful, but he was neither instructed to be careful in any way, nor given specific guidelines as to what to do with the stuff. Why was the stuff being taken out overnight in the first place?

    The entire thing sounds like it was made SPECIFICALLY for people somewhere in between the intern and the top to get whatever information they want and need, and, if its too sensitive not to have a scapegoat, pass it down one more step after making a few copies…

    Or just stealing’em out of said scapegoat’s car.

  15. JD:

    You NEVER give sensitive or important stuff to interns. They’re still learning, thus the whole “intern” thing. Did the intern himself even know what he was carrying? Most likely, no.

    Nothing tells us it wasn’t one of the consultants that knew which car was his and saw their chance…

    Sure, the guy could’ve been more careful, but he was neither instructed to be careful in any way, nor given specific guidelines as to what to do with the stuff. Why was the stuff being taken out overnight in the first place?

    The entire thing sounds like it was made SPECIFICALLY for people somewhere in between the intern and the top to get whatever information they want and need, and, if its too sensitive not to have a scapegoat, pass it down one more step after making a few copies…

    Or just stealing’em out of said scapegoat’s car.

    Someone had to know they were valuable in the first place. Why wasn’t it the car or the stereo stolen? bunch of tapes lying in the back? Doesn’t sound like regular cartheft here.

  16. BSG:

    Folks have very little idea how IN-secure their personal data really is. How else could folks sleep at night, or watch “American Idol” without fear of going stark-raving crazy in fear and paranoia.

    A brief anecdote here – In the early 00′s I worked for a software developer. I came to the realization one day that the sample database we were sending out with each and every software package contained REAL names, with REAL social security numbers. (Insert smilie of animated hair-raising here.)

    When my young IT mind deduced that this might not be the sterling idea that someone apparently thought it was, I opined to my A$$hole/Manager (yes, that was his actual title, or it should have been) that I thought it an unsafe idea, and maybe we shouldn’t be doing that, he shrugged it off with the truly bizarre, freakish explanation that “oh, that’s just data from a bank that’s no longer in business”. (Did I mention what a complete a$$hole he was?)

    “Umm…………… those are still real people and real SS#’s”, I answered. So, I took it upon myself to make up humorous versions of all those names, with fictitious SS#’s before we sent out the database again.

    Oy!

  17. queuno:

    I was involved with a contract with a major hospital in Cleveland whose IT staff was located about 3 blocks away from the hospital itself. When I went to visit, I found their “DR strategy” was to remove the tapes from the backup server and carry them to their offices 3 blocks away. The backup server was on a floor that had experienced flooding.

  18. Larry:

    The one thing I’d caution others to consider is encryption isn’t a panacea. NOT ALL DATA needs to be encrypted, but obviously, the data mentioned in this article was an appropriate candidate for encryption.

    And I have to agree with many respondents that this was an extremely poor business practice, the concept of sending tapes home with employees as a means of providing protection to backup datasets for business continuity is a HUGE ERROR.

    No ones home is designed to provide proper protection for media, and many employees live relatively close to their workplaces, so it wouldn’t be uncommon for them to experience a similar disaster at their homes (flood, earthquake, tornado, hurricane, etc.) Also, the article cited the fact that the employee routinely placed the tapes on top of his TV when he took them into the home… the heat and magnetic field there must have been REAL GOOD for the tape! =)

    This employee and any others working elsewhere who are asked to do this as a part of a normal business practice should either refuse involvement, or ask for some letter to be placed in their file absolving them in advance for any possible impact to their employment status as a result of the data being compromised.

    If an organization isn’t willing to properly protect their backup tapes and/or vital records to ensure business continuity by having them picked up, transported and stored by a business properly suited to provide this service. BUT… don’t just choose a provider because they might be big, choose one that has trained staff, properly equipped vehicles, tracking systems, and storage spaces that are designed for MEDIA, including providing proper environmental controls, security, and fire protection for your information assets stored on media while under their control.

    Bigger isn’t always better… ask any potential service provider if their facilities meet the NFPA232 Standard requirements for media vaulting, if they don’t look elsewhere. And even if they say they do, make sure you visit the facility first!

  19. Rick:

    Ok, So I live in Ohio. And I just get this letter from the state. Sigh……

  20. Rick:

    Ok, So I live in Ohio. And I just get this letter from the state. Sigh…… Yup, not good news.

  21. Citizen:

    $500 reward is hilarious. I wonder how many thousands will be spent on the mailing to the residents aka victims advising that there is nothing to worry about. Managerial incompetence strikes again. It is the bane of this country. Nobody dumber than a manager.

  22. Coolhead2001:

    In my opinion, it was a cluster on both ends.

    Admittedly, the state of Ohio shouldn’t be trusting such confidential information to an intern. That simply goes beyond common sense, and yes you’d figure they’d have more secure means to safeguard the tape elsewhere.

    As for the intern… while he’s taking a lot of the heat for this, it’s well deserved. While he might not have had a lot to work with, he should have been smarter than to leave the tape in his car. From what I’ve read, it’s not the first time he did so.

    As for him being a scapegoat? I hardly agree. He was at fault, however the State of Ohio is also at fault. I believe that if they’re going to ask for resignations, they need to start a lot higher on the food chain.

  23. Skwerl:

    Why is everyone surprised by the $500 reward? The tape’s unencrypted- One only needs to copy the tape to have everything valuable on it. The physical tape is worthless.

  24. Disgusted:

    Good God! If this is the method the government has for backup and recovery of data, we are in a lot of trouble.

  25. jasper_johns:

    i stole the tape, and it was erased by the T.V.

  26. devtrench:

    Ahh, your tax dollars at work :) Sad thing is that this kind of incompetency seems to runs rampant in most state institutions. Makes me feel real good about giving my money to the government.

  27. ssn:

    Always keep your social security number in secret or your identy can be stolen and used illegal aliens..

  28. Jodie @ Idaho 4G Wireless:

    Hi there, just doing some browsing for my Idaho 4g site. Can’t believe the amount of information out there. Not quite what I was looking for, but nice site. Cya later.

  29. private investigator maryland:

    Unfortunately, In my line of work as a maryland private investigator, I see this type of security breach all the time. There is always a risk when sensative material leaves any facility. Such a shame.

  30. P-Server:

    This site was… how do you say it? Relevant!! Finally I’ve found something which helped me. Thanks a lot!

Leave a Reply:


Recent stories

Featured stories

RSS Windows news

RSS Mac news

RSS iPad news

RSS iPhone & Touch

RSS Mobile technology news

RSS Tablet computer news

RSS Buying guides

RSS PS3/Wii/Xbox 360

RSS Green technology

RSS Photography

Featured Content

Archives

Copyright © 2014 Blorge.com NS