Former IT Manager Seeks Redress with SarbOx Whistleblower LawsuitBy Renee Boucher Ferguson | Posted 05-30-2006
OKeefe's story is a cautionary tale for anyone in ITparticularly anyone that handles sensitive customer data.
Well into his 13th year on the job at TIAA-CREF, one of O'Keefe's subordinates, a contractor named Sonia Radencovich, was recognized by a colleague as a felon who had helped her lover swindle more than $200 million from insurance firms.
She was scheduled for sentencing to federal prison several months into her job at TIAA-CREF.
But before Radencovich's true identity had been discoveredshe had applied for the job at TIAA-CREF using the alias Sonia Howeshe'd had unfettered access to customer data for a couple of months.
And she brought her own laptop and a couple USB devices to work, which she used to download customer information (it's not clear how much information she downloaded).
"Sonia Howe had access that she needed to perform her job functionprojects that had to do with the call center, systems our agents used when they answered the phone to identify customers when they call in," said O'Keefe, who was Radencovich's supervisor.
"By their nature she needed to test those things. It wasn't her access [in question]; it was that this data was unscrambledall if it."
As the technical lead on two key ongoing initiatives at TIAA-CREF, Open Plan Solutions and Advice that Radencovich also worked on, O'Keefe was asked to help investigators determine how much information Radencovich had access to.
He did, and was fired in February 2005 for, he said, telling the truth: TIAA-CREF's IT test environment was unencrypted and Radencovich had access to a whole lot of data.
"I told [TIAA-CREF] she had access to a lot more information than they wanted to let out," said O'Keefe.
"TIAA-CREF said [Radencovich] had access to very little informationonly 100 participants. The fact is, she walked away with a lot more data than that."
O'Keefe estimates that Radencovich had access to a good portion of, or even all of TIAA-CREF's 3.2 million customer records.
Shortly after he was terminatedfor violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at workO'Keefe filed a Sarbanes-Oxley Whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation.
Last June, O'Keefe's initial complaint was dismissed on a technicality; the DOL determined he worked for TIAA and not TIAA-CREF.
Read the full story on eWEEK.com: Former IT Manager Seeks Redress with SarbOx Whistleblower Lawsuit