The NYT reported this morning on an interesting breach situation:

The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.
[…]
Another test-preparatory company said it stumbled on the files while doing competitive research. This company provided The New York Times with the Web address of the internal files on the condition that it not be named. The Times informed the Princeton Review of the problem on Monday, and the company promptly shut off access to that portion of its site.

Strangely there is no mention of logs or security monitoring at all in this article.

In terms of compliance, the exposed information included names, birth dates, ethnicities and learning disabilities, along with test performance. This is not generally considered personally identifiable information (multiple people may share the same value). And FERPA does not apply because the Princeton Review is not considered a school that receives funds from the DoE.

Nonetheless, it made the NYT because a competitor disclosed it and I suspect there will be increased scrutiny of how regulations can protect children from identity breaches.

Identity mistakes are all over the news these days, but I particularly enjoyed this story about a Kentucky sheriff who drove all the way across America, picked up the wrong guy, and then drove him back across America before realizing he had arrested the wrong man:

When Oros got to the Butler County Jail and again claimed he wasn’t the right person, Jailer Terry Fugate pulled a mugshot, which looked like a different person.

“That guy is ugly,” Oros told The Courier-Journal of Louisville of his impostor. “I’m pretty.”

After finding the mistake, Butler County officials paid for Oros to fly back to California. Meanwhile, the real suspect they were searching for is still on the lam.

The benefit of having your identity stolen in Kentucky, apparently, is a taxpayer financed road trip. Meals, clothing and tour-guide as well as the return flight are provided. You can argue against going on the trip, but those Kentucky public servants are not so easily fooled:

Gaddie told The Daily News of Bowling Green that Oros told them he wasn’t the man they were looking for, “but nearly everyone says that on this type of retrieval.”

Everyone? Does that include people who do not match the mug-shot of the wanted suspect? Funny how that factor is conveniently overlooked. I guess if you trust the word of no-one, then you should probably be prepared with additional forms of verification, no?

“Nobody here in Butler County did anything wrong,” Gaddie said. “Everybody did what they were supposed to do.”

I disagree. The people who were trying to identify a suspect did not use a reliable form of identification. They used a known-faulty and singular data point — a name.

The comment from Gaddie looks like a form of glib reassurance, as though admitting fault would be unacceptable. The “just following procedures” argument is a pathetic excuse in this case. The facts speak for themselves — sloppy work led to an expensive false arrest and detention. Anyone who reads the news knows about identity theft. Sheriffs should be more professional and use caution before blowing a county budget on a wild goose chase.

Oros could have contributed to the confusion when he signed an extradition waiver.

That sounds like “blame the victim”.

The Louisville newspaper reported that Oros asked prison officials in California to verify his claims that he wasn’t the right person, but they apparently didn’t run the check and Oros signed the waiver allowing him to be transferred without a hearing.

“I asked him why he signed the waiver of extradition,” Gaddie said. “And he said he didn’t know what he was signing.”

Or perhaps he knew that he was signing a free road trip across America at the expense of Kentucky tax payers? But seriously, the burden seems to be that a man had to prove his innocence even though the only thing tying him to a crime was his name. Now prison officials, as well as law enforcement officers, are implicated in this strange tale of guilty by name until proven innocent.

Oros told the Louisville paper that he enjoyed the ride to Kentucky – his first trip outside California.

“They fed me good,” he said. “They were entirely nice people.”

Sign up now for your free trip.

When their fingerprints didn’t match, Oros was removed from his cell and officials began making arrangements to get him back home. Oros, who recently graduated from barber college, thanked the deputy jailers by giving them free haircuts.

“They all look good now,” he said.

Mugshot did not match, fingerprint did not match; the only match was the name. Brilliant. Will anybody be told what “they are supposed to do” so this does not happen again? How nice of Oros to let his jailers off the hook. He seems like a very trusting guy.

I doubt the county was motivated to import a recent barber college graduate for haircuts so it still stands to reason that sloppy detective work and lack of information security awareness is at the heart of this sad but funny story.

The Norwegian King’s Guard clearly has a cute sense of honor:

The original Nils Olav first became an honorary member of the regiment in 1972, when a young lieutenant called Nils Egelien visited the penguins at the zoo, but died in the 1980s, and was replaced by the current Nils Olav.

The photo is by the Associated Press and they have a nice collection of similar shots. It really does look like Nils Olav is doing an inspection. I wonder if the guard uses fish oil or similar scent to keep Nils engaged.