http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=privacy&articleId=9035723 By Brian Fonseca September 11, 2007 Computerworld A computer forensics expert has uncovered an additional 106,821 pieces of personal data on a copy of a stolen backup tape removed from the car of an intern responsible for carrying data used by the Ohio state government's computer systems. The finding, released in two reports on Monday by Interhack Corp., arrives three months after the incident occurred. In its report, Columbus, Ohio-based Interhack said the missing backup tape featured newly discovered names and Social Security numbers of 47,245 individuals; the names and Social Security numbers of 19,388 former state employees; and banking information on less than 100 businesses, according to Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. Additionally, the names and federal employee identification numbers of 40,088 businesses were unearthed by Interhack. Information from that file was being used by the state's Ohio Administrative Knowledge System (OAKS) to help populate and test E-Controlling Board, a state Controlling Board business application. Following Interhack's analysis, Sylvester confirmed that in total more than 1.3 million pieces of personal data were stored on the stolen backup tape. The groups affected include state taxpayers, Medicaid providers, payroll vendors, dependents, students and state government employees. The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape. At the time of its theft, the missing tape was being used to carry information from the government's office tower to an off-site location, where roughly 100 state workers and 100 Accenture employees are responsible for testing, configuring code and customizing PeopleSoft applications. That effort is part of Ohio's massive $158 million OAKS ERP project. "The particular drive that this tape was used to back up... was the sort of the testbed drive, so a lot of data was real and historical data being used to test different parts of the OAKS system -- everything from payroll functionality to accounting functionality," said Sylvester. "That's why there were a lot of these files on here, because they were testing things like cutting purchase orders, paying mileage checks -- all the business processes that the current legacy systems use -- and making sure the way OAKS was being configured would work." Since it was a temporary site, a network administrator from the state's previous administration had decided as part of his business continuity plan that he would take backup tapes home every night. However, Sylvester said over time that practice had "devolved" to include interns taking the tapes home. When the data breach occurred, he said his administration was unaware of the backup tape transportation plan. "Unfortunately, there should have been a different way to handle those backups in place. The way [the previous administration] was handling those backups is a very 1980s kind of thing, that's what people use to do in the old days," said Sylvester. The Ohio State Patrol was not notified and therefore didn't begin its investigation of the stolen state government backup tape until three or four days after the incident occurred. The Hilliard Ohio Police Department, which was the first law enforcement agency to become aware of the theft, didn't know about the sensitive data on the tape, so it only filed a report without an investigation, said Sylvester. Because of the data breach, an internal review of how backups are handled across all state government agencies is being conducted. In cases where tapes are taken off-site, a service is being used to transport them securely to ensure that employees are not transporting data in their personal vehicles. ____________________________________ Visit the InfoSec News Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Sep 11 2007 - 22:52:31 PDT