Chris O’Keefe was, in a former life, an IT manager in charge of customer relationship management implementations at TIAA-CREF, a prestigious financial institution that handles some of the nation’s largest academic retirement funds.
OKeefe’s story is a cautionary tale for anyone in IT—particularly anyone that handles sensitive customer data.
Well into his 13th year on the job at TIAA-CREF, one of O’Keefe’s subordinates, a contractor named Sonia Radencovich, was recognized by a colleague as a felon who had helped her lover swindle more than $200 million from insurance firms.
She was scheduled for sentencing to federal prison several months into her job at TIAA-CREF.
But before Radencovich’s true identity had been discovered—she had applied for the job at TIAA-CREF using the alias Sonia Howe—she’d had unfettered access to customer data for a couple of months.
And she brought her own laptop and a couple USB devices to work, which she used to download customer information (it’s not clear how much information she downloaded).
“Sonia Howe had access that she needed to perform her job function—projects that had to do with the call center, systems our agents used when they answered the phone to identify customers when they call in,” said O’Keefe, who was Radencovich’s supervisor.
“By their nature she needed to test those things. It wasn’t her access [in question]; it was that this data was unscrambled—all if it.”
As the technical lead on two key ongoing initiatives at TIAA-CREF, Open Plan Solutions and Advice that Radencovich also worked on, O’Keefe was asked to help investigators determine how much information Radencovich had access to.
He did, and was fired in February 2005 for, he said, telling the truth: TIAA-CREF’s IT test environment was unencrypted and Radencovich had access to a whole lot of data.
“I told [TIAA-CREF] she had access to a lot more information than they wanted to let out,” said O’Keefe.
“TIAA-CREF said [Radencovich] had access to very little information—only 100 participants. The fact is, she walked away with a lot more data than that.”
O’Keefe estimates that Radencovich had access to a good portion of, or even all of TIAA-CREF’s 3.2 million customer records.
Shortly after he was terminated—for violating policies in his supervision of Radencovich, sharing passwords and allowing Radencovich to use her laptop at work—O’Keefe filed a Sarbanes-Oxley Whistleblower complaint with the Department of Labor, stating that he should have been protected for information revealed during the Radencovich investigation.
Last June, O’Keefe’s initial complaint was dismissed on a technicality; the DOL determined he worked for TIAA and not TIAA-CREF.
Read the full story on eWEEK.com: Former IT Manager Seeks Redress with SarbOx Whistleblower Lawsuit