Following up on a previously noted breach, the employee in question has been charged. Note the key sentence that I’ve emphasized below in this report from NewsChannel5:
A former employee of the Tennessee Department of Treasury has been charged with identity theft trafficking in connection with the alleged theft of personal information belonging to some 6,000 state and Metro employees.
Metro Police arrested 24 year-old Steven Hunter Thursday, nearly a week after learning about this security breach and alerting Metro Schools that approximately 6,300 teachers and employees’ information had been stolen.
According to his arrest warrant, Hunter came across the teachers’ personal information when he was a state employee. Hunter was hired in July of 2013 to contact vendors doing business with the state of Tennessee, and was in charge of entering personal information of city, state and county employees.
Before he resigned from his position last Thursday, Treasury officials discovered that Hunter sent personal information about state and Metro Nashville Davidson County employees from his state email account to his personal email account.
The Tennessee Bureau of Investigation raided his home in Hermitage last Friday night to seize computers contained the information.
The TBI said he had also had done web searches on how to sell social security numbers, and he had numerous articles on people who had been arrested for identity theft.
Following his arrest, he told police he never sold any of them.
He was released on $10,000 bond Thursday night.
Okay, this might qualify for a dumb criminal award, but let’s remember that the department’s security controls did not prevent the employee from e-mailing the 6,300 employees’ information to a non-department email address. And what was the extent of their background check on him before they hired him? Were there any clues or signs that were missed?