Ohio data leak was 'accident waiting to happen'
Warning unheeded as thousands of records exposed
A stolen backup tape containing personal data on Ohio state workers also contained the names and Social Security numbers of around 225,000 state residents.
A mounting privacy brouhaha is building over the purloined tape, stolen on 10 June from the back of an unlocked intern's car. At first it seemed that the data contained on the tape only referred to 64,000 state workers and Ohio's 84,000 welfare recipients. Subsequent checks have revealed that data on taxpayers who are yet to cash state income tax refund cheques was also on the tape, greatly increasing the number of people potentially exposed to identity fraud.
State officials point out that reading the data on the tape would require specialist hardware and expertise. Even though there's no indication that any of the stolen data has been misused, 20,000 state workers have signed up to an identity-theft protection scheme, at a cost to the Ohio taxpayers of $700,000. State officials plan to extend this protection to other groups found to have been exposed to fraud.
The tape was nicked after a 22-year-old intern was asked to take it home as part of "standard security procedure". Gov. Ted Strickland has since stepped in to curtail the practice of workers taking backup devices home for safekeeping. He also announced a review of how state data is handled.
Questions are been asked about why the policy wasn't tightened up earlier after it emerged that the governor's transitional team warned that the state's computer security policies were lax before he took office in January.
A team of IT consultants concluded the state had "little to no policy guidance or standards" for protecting sensitive data, according to a report prepared by Strickland's transition team, unearthed by the Columbus Dispatch.
"Ohio's lack of a robust, unified privacy/security capacity lays it open to the type of data spills and breaches that have been plaguing the government and the corporate sectors in increasing numbers over the past few years," the report said, as reported by AP. ®
This is a demonstration of a problem I have noticed in Ohio:
For some reason, many organizations in Ohio rely on the technically challenged (Picture old bitty bragging: "I'm computer illiterate ..hahaha...") to hire all the techs and other IT sorts. You can see where proper selection and bullshit-filtering would become a problem. Added to that is the reality that dawns on the true techs who actually make it through the senseless hiring process: the idiots who almost hired the bullshit-with-many-acronyms-resume/interview person over the truly experienced tech is also in-charge of the other important decisions, such as your budget, or even the tools you are 'allowed' to use to do your job, or if that flashy new software the bullshit-with-many-acronyms-sales-brochure is touting as the next best thing actually does anything...
you get the picture.
not done for security.
Taking a backup offsite (usually IT top level types, but I have seen rotations like in Ohio all over the US) is not done for security. It's done to try to ensure that if a disaster strikes and the building/datacenter/servers are not there/functional in the morning you have only lost maybe a day worth of data.
There are companies that will come by and pick it up, but half the time they are about as secure as the intern’s car until they finish the route.
Small organizations and non profit ones most often seem to use the take home method from what I have seen.
protection in law
Until there is a law that says that data belongs to the person it applies to (i.e. me) then there is not much incentive to protect data.
For instance if there was no question in law that a organisation must pay the costs of a data lose to me no matter how extensive, then such a mistake as this would cost millions in conpensation, maybe with that kind of a threat the company would protect its money by protecting your data.
Overall we really have been conned with data use laws, they are all in favour of the companies making money or otherwise using MY information yet they have little of no real responsibility to me to keep it safe.