[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] More personal data said to be on stolen Ohio government backup tape


By Brian Fonseca
September 11, 2007 

A computer forensics expert has uncovered an additional 106,821 pieces 
of personal data on a copy of a stolen backup tape removed from the car 
of an intern responsible for carrying data used by the Ohio state 
government's computer systems. The finding, released in two reports on 
Monday by Interhack Corp., arrives three months after the incident 

In its report, Columbus, Ohio-based Interhack said the missing backup 
tape featured newly discovered names and Social Security numbers of 
47,245 individuals; the names and Social Security numbers of 19,388 
former state employees; and banking information on less than 100 
businesses, according to Ron Sylvester, a spokesman for the Ohio 
Department of Administrative Services.

Additionally, the names and federal employee identification numbers of 
40,088 businesses were unearthed by Interhack. Information from that 
file was being used by the state's Ohio Administrative Knowledge System 
(OAKS) to help populate and test E-Controlling Board, a state 
Controlling Board business application.

Following Interhack's analysis, Sylvester confirmed that in total more 
than 1.3 million pieces of personal data were stored on the stolen 
backup tape. The groups affected include state taxpayers, Medicaid 
providers, payroll vendors, dependents, students and state government 

The incident is expected to cost the state almost $3 million. Of that 
total, $2.3 million covers projected and existing enrollment in Debix 
Inc. credit protection services. Debix enrollment paid for by the state 
for affected individuals will remain open until Oct. 31. Debix 
protection will not be extended toward any businesses with information 
on the lost backup tape.

At the time of its theft, the missing tape was being used to carry 
information from the government's office tower to an off-site location, 
where roughly 100 state workers and 100 Accenture employees are 
responsible for testing, configuring code and customizing PeopleSoft 
applications. That effort is part of Ohio's massive $158 million OAKS 
ERP project.

"The particular drive that this tape was used to back up... was the sort 
of the testbed drive, so a lot of data was real and historical data 
being used to test different parts of the OAKS system -- everything from 
payroll functionality to accounting functionality," said Sylvester. 
"That's why there were a lot of these files on here, because they were 
testing things like cutting purchase orders, paying mileage checks -- 
all the business processes that the current legacy systems use -- and 
making sure the way OAKS was being configured would work."

Since it was a temporary site, a network administrator from the state's 
previous administration had decided as part of his business continuity 
plan that he would take backup tapes home every night. However, 
Sylvester said over time that practice had "devolved" to include interns 
taking the tapes home.

When the data breach occurred, he said his administration was unaware of 
the backup tape transportation plan.

"Unfortunately, there should have been a different way to handle those 
backups in place. The way [the previous administration] was handling 
those backups is a very 1980s kind of thing, that's what people use to 
do in the old days," said Sylvester.

The Ohio State Patrol was not notified and therefore didn't begin its 
investigation of the stolen state government backup tape until three or 
four days after the incident occurred. The Hilliard Ohio Police 
Department, which was the first law enforcement agency to become aware 
of the theft, didn't know about the sensitive data on the tape, so it 
only filed a report without an investigation, said Sylvester.

Because of the data breach, an internal review of how backups are 
handled across all state government agencies is being conducted. In 
cases where tapes are taken off-site, a service is being used to 
transport them securely to ensure that employees are not transporting 
data in their personal vehicles.

Visit the InfoSec News Bookstore