The Register® — Biting the hand that feeds IT

Feeds

Ohio data leak was 'accident waiting to happen'

Warning unheeded as thousands of records exposed

By John Leyden, 22nd June 2007
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

A stolen backup tape containing personal data on Ohio state workers also contained the names and Social Security numbers of around 225,000 state residents.

A mounting privacy brouhaha is building over the purloined tape, stolen on 10 June from the back of an unlocked intern's car. At first it seemed that the data contained on the tape only referred to 64,000 state workers and Ohio's 84,000 welfare recipients. Subsequent checks have revealed that data on taxpayers who are yet to cash state income tax refund cheques was also on the tape, greatly increasing the number of people potentially exposed to identity fraud.

State officials point out that reading the data on the tape would require specialist hardware and expertise. Even though there's no indication that any of the stolen data has been misused, 20,000 state workers have signed up to an identity-theft protection scheme, at a cost to the Ohio taxpayers of $700,000. State officials plan to extend this protection to other groups found to have been exposed to fraud.

Snafu

The tape was nicked after a 22-year-old intern was asked to take it home as part of "standard security procedure". Gov. Ted Strickland has since stepped in to curtail the practice of workers taking backup devices home for safekeeping. He also announced a review of how state data is handled.

Questions are been asked about why the policy wasn't tightened up earlier after it emerged that the governor's transitional team warned that the state's computer security policies were lax before he took office in January.

A team of IT consultants concluded the state had "little to no policy guidance or standards" for protecting sensitive data, according to a report prepared by Strickland's transition team, unearthed by the Columbus Dispatch.

"Ohio's lack of a robust, unified privacy/security capacity lays it open to the type of data spills and breaches that have been plaguing the government and the corporate sectors in increasing numbers over the past few years," the report said, as reported by AP. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (15)
Latest Comments
Josh

Second thought

This is a demonstration of a problem I have noticed in Ohio:

For some reason, many organizations in Ohio rely on the technically challenged (Picture old bitty bragging: "I'm computer illiterate ..hahaha...") to hire all the techs and other IT sorts. You can see where proper selection and bullshit-filtering would become a problem. Added to that is the reality that dawns on the true techs who actually make it through the senseless hiring process: the idiots who almost hired the bullshit-with-many-acronyms-resume/interview person over the truly experienced tech is also in-charge of the other important decisions, such as your budget, or even the tools you are 'allowed' to use to do your job, or if that flashy new software the bullshit-with-many-acronyms-sales-brochure is touting as the next best thing actually does anything...

you get the picture.

0
0
Demian Phillips

not done for security.

Taking a backup offsite (usually IT top level types, but I have seen rotations like in Ohio all over the US) is not done for security. It's done to try to ensure that if a disaster strikes and the building/datacenter/servers are not there/functional in the morning you have only lost maybe a day worth of data.

There are companies that will come by and pick it up, but half the time they are about as secure as the intern’s car until they finish the route.

Small organizations and non profit ones most often seem to use the take home method from what I have seen.

0
0
jeremy

protection in law

Until there is a law that says that data belongs to the person it applies to (i.e. me) then there is not much incentive to protect data.

For instance if there was no question in law that a organisation must pay the costs of a data lose to me no matter how extensive, then such a mistake as this would cost millions in conpensation, maybe with that kind of a threat the company would protect its money by protecting your data.

Overall we really have been conned with data use laws, they are all in favour of the companies making money or otherwise using MY information yet they have little of no real responsibility to me to keep it safe.

0
0

More from The Register

breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19
Critical Java SE update due Tuesday fixes 40 flaws
And yes, most are remotely exploitable
33
Kaspersky slips server security into PC software as attackers get crafty
Want to bag a CEO? Aim for his family
8
NSA accused of new crimes ... against slideware
They may take our information but they cannot take our REFINED AESTHETICS
40