Pennsylvania's chief information security officer, Robert Maley, has been fired, apparently for talking publicly at the RSA security conference last week about a recent incident involving the Commonwealth's online driving exam scheduling system.
A source close to the matter said Maley was terminated for not getting the required approvals from the Commonwealth's authorities to talk publicly about the incident.
Commonwealth rules explicitly require all employees to get approval from the appropriate authorities before they publicly disclose official matters, the source said.
A spokesman for the state's governor, Edward Rendell, has confirmed that Maley is no longer working for the Commonwealth. But he refused to say if Maley had been terminated, citing privacy rules.
Maley, who was Pennsylvania's CISO for more than four years, was part of a RSA conference panel discussing state cybersecurity issues last Thursday.
During the discussion, Maley talked about a recent incident involving a Philadelphia-area driving school that was trying to get early driving tests for its students. The source said someone at the school exploited a configuration "anomaly" in the Department of Transportation's online driver's test scheduling system.
The vulnerability allowed the school to essentially cut the line and schedule "a whole bunch of driver's licence exams" for its students, the source said.
The incident was reported to the state police, and the matter is currently under investigation, the source said.
Danielle Klinger, a spokeswoman for Pennsylvania's Department of Transportation, confirmed today that a problem had been uncovered in the driver test scheduling system, and that the matter has been turned over to state police.
However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.
Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed.