[ISN] Data-theft investigation notes destroyed

From: InfoSec News (alerts@private)
Date: Sun Jul 16 2006 - 23:16:55 PDT


By Randy Ludlow
July 15, 2006

ATHENS, Ohio - A consulting firm hired to investigate data theft at
Ohio University violated state public records law when it destroyed
interview notes and other documents it used to prepare the audit, a
newspaper has reported.

Moran Technology Consulting of Naperville, Ill., acknowledged the
error after The Columbus Dispatch filed a public records request in an
effort to get copies of the materials.

The firm's report recommended the removal of two employees.

Officials at the company routinely discard such materials and didn't
realize their contract with the university held them subject to Ohio's
public records law, said firm president Charles Moran.

"I apologize; we just didn't know," he said.

The university did not authorize the company to dispose of the
records, said John Burns, the school's director of legal affairs.

The $85,440 contract Moran Consulting has with the university
specifies that the school maintains ownership of the report's
supporting materials and that the university is subject to public
records law, the Dispatch reported.

Moran characterized the missing paperwork as "virtually worthless."

"These are not a transcript of everything said. We may do an hour of
interview and get one page of bullet points out of it," Moran said.

Under Ohio law, courts can award a $1,000 civil fine plus legal fees
to a person filing a successful complaint regarding the destruction of

In April, Ohio University announced it had discovered a computer
breach at its training center for fledgling businesses. Since then,
the school has identified a total of five instances of data theft at
various offices that exposed 367,000 files containing personal
information such as Social Security numbers, names, medical records
and home addresses.

Moran Consulting prepared a 55-page analysis criticizing the Computer
and Network Services division's for making security a low priority for
more than 10 years, though it had an annual budget averaging $11
million and recent annual surpluses averaging $1.4 million.

After the audit was released, university trustees approved the
spending of up to $4 million to bolster computer security. The school
also suspended the director of the computer services department, Tom
Reid, and the school's Internet and systems manager, Todd Acheson.

Lawyers for both men requested copies of records used in the audit and
copies of an uncensored version of the audit, which they have not
received because Reid and Acheson refused to sign confidentiality

Acheson's attorney, Fred Gittes, said that, without the materials used
to compile the report, his client cannot defend himself against the
audit's broad statements.

"What a horrible position this puts Tom Reid and Todd Acheson in.  
There are these very vague, generalized statements with no specifics,
and now we can't get the specifics," he said.

A message seeking comment was left Saturday afternoon at the office of
Reid's lawyer, James Colner.

Information from: The Columbus Dispatch, http://www.dispatch.com

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Sun Jul 16 2006 - 23:33:29 PDT