[ISN] Interns carried state data home nightly

From: InfoSec News (alerts@private)
Date: Tue Jun 19 2007 - 22:10:28 PDT


http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/06/19/BYEDATA.ART_ART_06-19-07_A1_N9728JD.html

By Mark Niquette
THE COLUMBUS DISPATCH 
June 19, 2007

A state office had been sending backup data tapes home with interns for 
two or three years before a tape with sensitive information was stolen 
from an intern's car last week, The Dispatch has learned.

In fact, it appears that the former technical manager for the Ohio 
Administrative Knowledge System didn't use regular state employees -- 
only two or three interns besides himself -- to take the data home on a 
rotating basis for safekeeping, said Ron Sylvester, a spokesman for the 
Ohio Department of Administrative Services.

"On its face, with what we know today, this seems like a questionable 
decision," Sylvester said.

State Rep. Jay Hottinger, R-Newark, was more blunt.

"Not since Monica Lewinsky have we seen an intern with such access," 
Hottinger said yesterday after voting with the rest of the state 
Controlling Board to spend more than $700,000 to deal with the fallout 
so far from the June 10 theft of the backup tape.

The manager, Carl Miller, retired May 31, Sylvester said. Miller, who 
records show was hired by the state in 1977 and earned $116,063 last 
year, couldn't be reached. His pay worked out to $54.10 an hour; the 
intern made $10.50.

Gov. Ted Strickland has confirmed that the tape stolen from intern Jared 
A. Ilovar's car holds myriad crucial data, including Social Security 
numbers of state employees and their dependents, identities of welfare 
recipients plus banking information for school districts, local 
governments and others.

According to a state policy that officials said was last updated in 
April 2002, two backup copies were to be made each day of the data in 
the state's $158 million payroll and accounting system, known as OAKS. 
The current day's backup tape was to be maintained on site in the 
network administrator's office, and the previous day's backup tapes were 
to be taken to the network administrator's home in case of a fire or 
other disaster at the office.

But as the project became more active and resources became stretched, 
Miller started assigning interns for a week at a time to take a backup 
copy home every day, Sylvester said.

Yesterday, the bipartisan Controlling Board voted unanimously to spend 
as much as $731,000 for the initial response to the data theft, after 
complaining about what Hottinger called the "mind-boggling" policy of 
sending sensitive data home with a 22-year-old intern.

The spending includes up to $631,000 for Texas-based Debix Inc. to 
provide free-to-employees identity-theft protection and prevention 
services for non-university state workers and their dependents who are 
enrolled in the state's benefits program.

The cost to the state is $9.75 for each of about 140,000 eligible 
employees and dependents who sign up for the service. But Strickland 
said he doesn't expect all state workers to use the service because only 
about a quarter of those eligible in such situations elsewhere have 
signed up.

About 11,000 state employees and dependents had requested the service as 
of yesterday, Sylvester said.

The panel also earmarked up to $100,000 for Interhack Corp. of Columbus 
to assess the security of the new state accounting setup and to verify 
that state officials have identified all important data that have been 
stolen.

Meanwhile, the investigation of the theft and search for the missing 
tape continued yesterday. Nearly 50 State Highway Patrol cadets searched 
the area where the theft was reported in Hilliard, and a toll-free tip 
line has received five calls, Lt. Tony Bradshaw said.

Budget Director J. Pari Sabety said the administration is considering 
offering a reward for the tape.

Strickland has said that there is no evidence the data have been 
accessed and that it would take specialized knowledge and equipment to 
do so.

But experts have said because the sensitive data were not encrypted -- a 
step Strickland has now ordered -- it may be possible for the right 
person to read the tape.

Curtin, the founder of Interhack, said it would take time, expertise and 
money for someone to read the tape. Because the state has notified those 
whose personal data may be affected, it would be difficult for a thief 
to use the information, he argued.

"So at this point now, if somebody tries to use the data, they're going 
to be found out pretty quickly," he said.

School districts and Medicaid providers that potentially could have 
their bank accounts revealed were cautious but not overly concerned 
yesterday.

As they were encouraged to do by state officials, many school treasurers 
notified their banks about the potential exposure.

"The bank account and routing number is on every check we issue so it's 
not as much concern as the tax identification number of the district," 
said Bexley Schools Treasurer Chris Essman.

Sylvester has said other entities in state government also have been 
sending backup data home with employees, but that the practice was not 
widespread and has been stopped.

The backup OAKS tape now is sent daily to a second state facility to be 
stored securely.

Curtin said the practice of sending backup data home with employees is 
fairly common because of the cost involved in hiring a company to do it 
or using another facility.

-=-

Dispatch Senior Editor Joe Hallett and reporters James Nash and 
Catherine Candisky contributed to this story.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 19 2007 - 22:17:01 PDT