http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/06/19/BYEDATA.ART_ART_06-19-07_A1_N9728JD.html By Mark Niquette THE COLUMBUS DISPATCH June 19, 2007 A state office had been sending backup data tapes home with interns for two or three years before a tape with sensitive information was stolen from an intern's car last week, The Dispatch has learned. In fact, it appears that the former technical manager for the Ohio Administrative Knowledge System didn't use regular state employees -- only two or three interns besides himself -- to take the data home on a rotating basis for safekeeping, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. "On its face, with what we know today, this seems like a questionable decision," Sylvester said. State Rep. Jay Hottinger, R-Newark, was more blunt. "Not since Monica Lewinsky have we seen an intern with such access," Hottinger said yesterday after voting with the rest of the state Controlling Board to spend more than $700,000 to deal with the fallout so far from the June 10 theft of the backup tape. The manager, Carl Miller, retired May 31, Sylvester said. Miller, who records show was hired by the state in 1977 and earned $116,063 last year, couldn't be reached. His pay worked out to $54.10 an hour; the intern made $10.50. Gov. Ted Strickland has confirmed that the tape stolen from intern Jared A. Ilovar's car holds myriad crucial data, including Social Security numbers of state employees and their dependents, identities of welfare recipients plus banking information for school districts, local governments and others. According to a state policy that officials said was last updated in April 2002, two backup copies were to be made each day of the data in the state's $158 million payroll and accounting system, known as OAKS. The current day's backup tape was to be maintained on site in the network administrator's office, and the previous day's backup tapes were to be taken to the network administrator's home in case of a fire or other disaster at the office. But as the project became more active and resources became stretched, Miller started assigning interns for a week at a time to take a backup copy home every day, Sylvester said. Yesterday, the bipartisan Controlling Board voted unanimously to spend as much as $731,000 for the initial response to the data theft, after complaining about what Hottinger called the "mind-boggling" policy of sending sensitive data home with a 22-year-old intern. The spending includes up to $631,000 for Texas-based Debix Inc. to provide free-to-employees identity-theft protection and prevention services for non-university state workers and their dependents who are enrolled in the state's benefits program. The cost to the state is $9.75 for each of about 140,000 eligible employees and dependents who sign up for the service. But Strickland said he doesn't expect all state workers to use the service because only about a quarter of those eligible in such situations elsewhere have signed up. About 11,000 state employees and dependents had requested the service as of yesterday, Sylvester said. The panel also earmarked up to $100,000 for Interhack Corp. of Columbus to assess the security of the new state accounting setup and to verify that state officials have identified all important data that have been stolen. Meanwhile, the investigation of the theft and search for the missing tape continued yesterday. Nearly 50 State Highway Patrol cadets searched the area where the theft was reported in Hilliard, and a toll-free tip line has received five calls, Lt. Tony Bradshaw said. Budget Director J. Pari Sabety said the administration is considering offering a reward for the tape. Strickland has said that there is no evidence the data have been accessed and that it would take specialized knowledge and equipment to do so. But experts have said because the sensitive data were not encrypted -- a step Strickland has now ordered -- it may be possible for the right person to read the tape. Curtin, the founder of Interhack, said it would take time, expertise and money for someone to read the tape. Because the state has notified those whose personal data may be affected, it would be difficult for a thief to use the information, he argued. "So at this point now, if somebody tries to use the data, they're going to be found out pretty quickly," he said. School districts and Medicaid providers that potentially could have their bank accounts revealed were cautious but not overly concerned yesterday. As they were encouraged to do by state officials, many school treasurers notified their banks about the potential exposure. "The bank account and routing number is on every check we issue so it's not as much concern as the tax identification number of the district," said Bexley Schools Treasurer Chris Essman. Sylvester has said other entities in state government also have been sending backup data home with employees, but that the practice was not widespread and has been stopped. The backup OAKS tape now is sent daily to a second state facility to be stored securely. Curtin said the practice of sending backup data home with employees is fairly common because of the cost involved in hiring a company to do it or using another facility. -=- Dispatch Senior Editor Joe Hallett and reporters James Nash and Catherine Candisky contributed to this story. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 19 2007 - 22:17:01 PDT