[ISN] Stolen tape had information on 225, 000 taxpayers, governor says

From: InfoSec News (alerts@private)
Date: Thu Jun 21 2007 - 00:10:03 PDT


http://www.ohio.com/mld/beaconjournal/news/state/17395223.htm

By STEPHEN MAJORS
Associated Press
June 20, 2007

COLUMBUS, Ohio - A missing computer backup tape containing personal 
information on 64,000 state employees and family members also holds the 
names and Social Security numbers of 225,000 taxpayers, Gov. Ted 
Strickland said Wednesday.

The tape, stolen last week from a state intern's car, contained 
information on taxpayers who have not cashed state income tax refund 
checks issued in 2005, 2006 and through May 29, 2007, Strickland said in 
what has become a nearly daily release of newfound information contained 
on the tape since the first disclosure Friday. The list includes checks 
that were cashed after May 29.

In addition, the tape includes the names and Social Security numbers of 
602 lottery winners who have yet to cash their winning tickets and 2,488 
Ohioans who have yet to cash checks for unclaimed funds payments, 
Strickland said. It also holds the names and bank account numbers for 
approximately 650 to 1,000 electronic funds transfers that weren't 
completed because they were bounced back by banking institutions.

Among other information on the device is bank account information for 
school districts and details on people enrolled in the state's pharmacy 
benefits program.

Strickland said he can't be certain the tape doesn't contain other 
sensitive information until an expert hired to review the data 
determines he's finished.

The administration continues to maintain that it does not believe the 
information has been accessed because it would require specific 
hardware, software and expertise. Strickland said 20,000 state employees 
had signed up for identity-theft protection as of Tuesday night, and 
there had been no indications that someone had attempted to use their 
personal information.

The state is paying more than $700,000 to provide all state employees 
with identity-theft protection services and to hire an independent 
computer expert to review what data the tape contained. Officials said 
they would extend identity-theft protection services to the new 
categories of people announced Wednesday.

The tape was stolen June 10 out of the unlocked car of a 22-year-old 
intern who had been designated to take the backup device home as part of 
a standard security procedure. When the governor announced the theft 
Friday, he also issued an executive order ending the practice of 
employees taking backup devices home for safekeeping and mandating a 
review of how state data is handled, including establishing an 
encryption protocol.

Data security experts said the unencrypted tape, described by Hilliard 
police as roughly 4 inches square and an inch thick, could be breached 
by someone with computer expertise, time and financial resources.

Ohio taxpayers can search an online database to determine whether their 
names are included in the stolen files. If so, they will receive a pin 
number they can use to sign up for identity-theft protection.

Officials do not believe they will need to seek additional funds to fund 
the additional categories because generally about 20 percent of those 
eligible sign up for such services. The funding released Monday by the 
Controlling Board assumed all employees would use the protection.

The state entered into a "pay as you go" contract with Debix, the 
service provider, and will use more funds if necessary, officials said.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 21 2007 - 00:25:21 PDT