The chief information security officer for the state of Pennsylvania was sacked this week, shortly after revealing that its IT systems had recently been hacked while on a discussion panel at a security conference.
Last week, Bob Maley revealed to attendees of the RSA conference in San Francisco that an unscrupulous driving instructor had hacked into the state Department of Transport’s IT systems to schedule more driving tests than he was allotted.
"What he was doing was saying [to potential customers], ‘You go over across the street, to John’s driver training, and it’s going to take you six to eight weeks to get your test. We can get you in tomorrow,’” Maley said, according to a blogger for the GovInfoSecurity website.
This week, local newspaper the Patriot News reported that Maley was out of a job.
Local officials have not confirmed that Maley’s departure was linked to his revelations. However, Computerworld cites a source ‘close to the matter’ as saying that he was dismissed for failing to get permission from the relevant authorities before disclosing official business.
Many security experts argue that organisations should be obliged to disclose security breaches, as it would not only warn individuals that their personal information may be under threat, but it was also help other organisations realise the gravity of the threat. Businesses in California have since 2003 been obliged to inform customers if they have been hacked.
However, as Maley’s example appears to demonstrate, many organisations would rather not publicise the failings of their IT security measures.