In February, the Massachusetts Department of Industrial Accidents (DIA) disclosed that Francis Osborn, an IT contractor, had accessed and retrieved workers’ compensation claimants’ Social Security numbers from a DIA database. According to court documents, Osborn accessed 1,200 files and opened credit card accounts using three claimants’ information, charging thousands of dollars to those fraudulent accounts. In a statement, the DIA commissioner said the department was “conducting a thorough review of all security procedures.” Osborn was fired, arrested and charged with identity fraud.

Other incidents, however, are less egregiously criminal and therefore harder for CIOs to evaluate and handle. In February 2006, New Hampshire officials announced that they had discovered password-cracking software (a program called Cain & Abel) planted on a state server. Cain & Abel potentially could have given hackers visibility into the state’s cache of credit card numbers used to conduct transactions with the division of motor vehicles, state liquor stores and the veterans home. Douglas Oliver, an IT employee who in one news report referred to himself as the state’s “chief technical hacker,” admitted to media outlets that he had installed the program, saying he was using it to test system security. He said he did so with state CIO Richard Bailey’s knowledge. (Bailey did not respond to repeated requests for an interview.) Oliver was placed on paid leave during an investigation that involved the FBI and the U.S. Department of Justice.

On April 4, 2006, state officials announced that the Cain & Abel program had never been turned on and that it was “very unlikely” that any credit card information had been exposed. Oliver, who had never been named as the IT worker responsible for the incident, was invited to return to his job on April 25, 2006.

A more highly publicized incident occurred at Sandia National Laboratories in New Mexico. After a series of hacks on the lab’s network in 2004, Shawn Carpenter, a Sandia network security analyst, launched his own investigation. He eventually linked the attacks to a Chinese cyberespionage group and also discovered that U.S. government documents had been stolen. He shared his findings with the Army Counterintelligence Group and the FBI. In response, Sandia fired Carpenter in January 2005 for, as reported in Computerworld, “inappropriate use of confidential information.” But in February 2007, a New Mexico jury awarded Carpenter $4.3 million in his wrongful termination suit and in the process transformed him from a rogue IT worker into a national hero. (Sandia is appealing the verdict.)