When Your SysAdmin Goes To The Media

by Chris Josephes

Related link: http://www.startribune.com/stories/462/5481317.html




If you're not from my area, you may not know too much about this hacking incident. Here's a brief summary.



Medica, a Minnesota based health plan provider, has experienced a publicized security breach when it was disclosed that hackers stole confidential data from their servers. In this case, the perpetrators of the breach is believed to be a pair of former employees, who downloaded internal company documents, and went through executive emails. According to Medica statements, it is unlikely that personal information of Medica's customers has been downloaded or compromised.



The Star Tribune article gives the rundown of the security issues from a former employee. By reading the article you can make guesses as to what Medica had (or did not have) as far as a security infrastructure, but it's still very light on details. We'll probably learn more during the lawsuit against the employee hackers.



But I have to question the motivations of the former security engineer in bringing up these details to the press. Was it a sense of civic duty, a simple discussion with a reporter, or was it grandstanding? That's not my place to say. But I'm probably not the only person out there who has the same question.



To put things in another way, what's going to happen when I try to Google some search terms like: '"employee name" security'. This probably isn't a good thing in the long run.



I will offer some advice. If you're a systems administrator, just be careful when it comes to disclosures to the media. If you're a current employee, there are proper internal channels that need to be taken before you should even speak to a reporter. If you're an ex-employee, take a few minutes and think about that you want to say, whether or not it's really worth saying, and whether or not your name should be associated with it.