Shostack + Friends Blog Archive


Florida workers claim outsourced HR system reveals PII, lacks audit trail

The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm.
From the article:

In an affidavit taken for a lawsuit by five state workers who say they were put at risk of identity theft, a former Convergys employee alleges that some People First workers playfully poked through personnel files of Bush, Attorney General Charlie Crist, Chief Financial Officer Tom Gallagher and DMS Secretary Tom Lewis, whose agency has been laboring with Convergys for two years to work out chronic kinks in People First. Another ex-employee signed an affidavit saying she was told by Convergys bosses not to let state employees know their information was at risk.

If these claims are true, it’d hardly be a shock that a consultant-built system paid for with government money turned out to be lousy. Now that disclosure has garnered widespread acceptance, though, tales of how such systems get built are not confined to departure lounge banter among consultants, or the water-cooler grousing of the rank and file subjected to the resulting “deliverables”.
A separate article describes how a subcontractor of Convergsys has also been accused of shenanigans involving PII:

Despite assurances by Convergys that personal information on state employees is safely kept on computers in the United States, a once-secret lawsuit against a former subcontractor alleges that private data was sent to India, Barbados and possibly China.
[… Plaintiff attorney] Newcomer said GDXdata used overseas scanning and indexing services “to save money” without telling Convergys. The suit says Convergys had billed the state at least $32 million when the case was filed, for work the company and the state thought was done domestically.

Now it’s time for me to try out a new toy. Tip o’ the hat to Eric Rescorla, from whose blog I learned of Etymotic.