With a hat tip to MPR’s own Bob Collins, a state contractor on the sharp end of public radio reporting seems to be threatening charges against the journalists who exposed security breaches in a job-seeker database.
MPR reporter Sasha Aslanian busted Texas-based Lookout Services Dec. 11 for leaving 500 names, dates of birth and Social Security numbers unsecured. Lookout ran state applicant data through the feds’ E-Verify system, and Aslanian says MPR was able to gain access to the private stuff “without using a password or encryption software.”
Monday, Lookout posted its response. The company, which announced a lawsuit against the state, is a bit more passive-aggressive when it comes to legal action against MPR. The statement notes that “the MPR reporter” was the only one who looked at some data, mentions possible federal violations and concludes ominously, “Lookout Services will aggressively seek prosecution of those responsible for this egregious act.”
As a wise lawyer once told me, anyone can sue for anything, and a prosecutor would need to sign off on any charges, no matter how mad Lookout is right now.
To me, the release seems written to let Lookout’s other customers know hackers didn’t get through, and I wonder if anyone, much less a journalist, can get rung up if the data was sitting in the open. I’ve contacted Lookout, MPR and cyber-law experts and will let you know when they check back.
Here are the money parts of the release, emphasis mine:
Bellaire, Texas-based Lookout Services Inc. (Lookout Services) today announced that limited portions of the company’s proprietary software may have been illegally compromised by an individual or individuals seeking access to client records.
The information disclosed as a result of the intrusion was limited in scope both by the amount of data that was accessible and the type of data that was accessible. Lookout has confirmed that with respect to some data only the Minnesota Public Radio reporter viewed the data. …
Given the circumstances, Lookout does not believe that the purpose of the intrusion was for the purpose of identity theft. However, an investigation may reveal more details about the exact motives in the weeks and months ahead.
“We have contacted the FBI and other law enforcement officials and we are fully cooperating with their investigation into how this matter,” said Elaine Morley, CEO of Lookout Services.
Lookout Services Inc. filed suit against The State of Minnesota on December 10, 2009, but did not inform The State of Minnesota at the time the lawsuit was filed. In days prior to filing suit, Lookout Services notified The State of Minnesota with concerns about conduct of numerous attempts at unauthorized intrusions involving computers with IP addresses belonging to The State of Minnesota and Minnesota Public Radio.
“We told the State of Minnesota we were requesting an investigation, due to concerns that federal laws were being violated,” Morley said. ”After expressing concerns to The State of Minnesota, the State agreed to instigate an investigation, but we felt that The State of Minnesota was not taking swift action, so we began blocking IP addresses and shutting down users.”
Since that time, Lookout Services has refused to grant any users at The State of Minnesota access to the software.
“Lookout Services will aggressively seek prosecution of those responsible for this egregious act,” Morley said. “We will not tolerate the illegal disclosure of client information.”
What possible IT services could the State of Minnesota require that couldn’t be done by a Minnesota-based business?
As with the Colorado-based Flatiron folks whose highest bid won the I-35 bridge rebuilding contract, does Gov. Pawlenty ALWAYS award contracts to out-of-state firms?
Collins has a followup post up as well. This may be an interesting case from a legal perspective. It looks to me like Aslanian did not actually divulge any information. Lookout Services appears to be attempting to distract from their own failures by targetting MPR and/or the State of MN. That strategy seems risky, as it could potentially backfire in a big way.
How snide can a company be? Lookout Services isn’t looking out for anyone but itself.
Mark: Not to mention that the governor wants a company in Maine to store our confidential medical records/histories which should, if all providers must create computerized records, be stored in your doctor’s office and sent to another provider only at your request.
There’s been some discussion about insurance companies mining such data for research purposes, but of course we are assured that our names will not be released.
And there’s the French provider of wind towers that came to call on Pawlenty to see if he’d buy some. He did, and the new Minnesota branch of the French company created something like 15 jobs. The question is, why wasn’t the state helping to finance a local startup firm to build these towers?
Makes me wonder what he’s cooking up in Latin America this week.
I coulda swore they passed a law here in MN in the last few years requiring that state outsourcing be directed to MN based companies whenever there is one that can do the job. Anyone else remember this?
And big government is the problem ? Seems to me buying things on as my father used to say, “the cheap” is what is causing the problem. We all know you get what you pay for as long as it’s applied to being in it for yourself. We can economize on the other guys back.
I agree with Joe,
This isn’t the first high-tech flop of the Pawlenty Administration. The dirty little secret of all this small government crap over the last 30 years is that it hasn’t really saved any money. Private companies lowball bids and then jack em up after the state dismantles it’s own capacities. Then there’s the cost of screw ups by low bid companies that should never have gotten contracts in the first place. Then there’s the myth of private sector efficiency just because it’s private sector. The funny thing is Lookout trying to pretend that someone else broke the law by making this stuff public instead of them… typical. And no, they can’t prosecute anyone. It’s like those e-mails that say at the bottom: “the contents of this e-mail are confidential….” as if tacking that onto an e-mail inoculates the sender from liability for sending it to the wrong person in first place. Funny. It’s really very simple, Lookout had a contractual obligation to adhere to data privacy. No one outside the contract is bound by that obligation. The idea that they’re going to somehow take action against an MPR reporter is just funny. Unless the story dies this will all just end up focusing a boat load of attention on Lookouts negligence.
Haven’t people learned from Horizon Group in Chicago (they’re a “sue first, ask questions later” company), et al?
Corporate America: Don’t piss off the Internet!