11 comments

[ 24.4 ms ] story [ 280 ms ] thread
(comment deleted)
A Microsoft-owned company...

> Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired.

What douchebag gets fired, notices they still have access, and uses that to fuck over bystanders? Why is our industry full of pricks?
Sincere question: is the guy gonna get the book thrown at him?
TLDR looks to be a IT contractor to this health care company laid off someone but let them keep their IT access. That person then for "reasons unknown" stole a ton of patient records.

I know its popular online to complain about being cutoff from access when being let go. This might be a counterpoint to that outrage?

Not only is this a counterpoint, but the outrage never made sense to begin with, IMO.

It’s so easy to imagine the kinds of harm a disgruntled employee can cause with the right access that it’s hard to imagine why anyone would be upset at an appropriately swift access revocation process.

I've never understood that outrage with one exception. Especially when you're remote it's painful to get immediately cut off from communication apps and not having a chance to say goodbye to people. When someone leaves willingly they get a chance to send one last email with a personal contact method for people to keep in touch. If you're let go you don't get that chance.

I wish there was a way to remove access to everything except that, but sadly I can't think of anything foolproof.

In 2024, to have an offboarding process that doesn’t fully automate access revocation to all systems - much less the sensitive ones - is incredibly bad, especially for a company of Microsoft’s stature and position in the market.

I have a bad feeling that the 2020s and 30s are going to continue revealing these lapses where they exist, and while I experience no schadenfreude at headlines like this I’m also happy these incidents are getting major attention.

Why are those records not encrypted in the first place?
I don’t know if this is in the article, but Geisinger delayed notifying people whose information was taken, at the behest of investigators.

I saw one of the letters they’ve now just started to send.