[ISN] Ohio official loses a week's vacation for theft of tape

From: InfoSec News (alerts@private)
Date: Wed Oct 10 2007 - 22:16:40 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9042001

By Brian Fonseca
October 10, 2007 
Computerworld

An Ohio state official must surrender about a week of future vacation 
time as punishment for not ensuring the security of personal data stored 
on a stolen backup tape holding Social Security and other personal data. 
The tape was pilfered in June from the car of an intern responsible for 
carrying data used by the Ohio state government's computer systems.

Jerry Miller, payroll team leader for the Ohio Department of 
Administrative Services' Administrative Knowledge System (OAKS) ERP 
project, was informed of the decision by department officials on Sep. 
26, said Ron Sylvester, a spokesman for DAS. Miller accepted the 
penalty, Sylvester said.

Sylvester described Miller as a "stellar longtime DAS employee" and said 
he has been forthright in acknowledging his role in the "management 
glitch" pertaining to the stolen backup tape.

Last month, the state announced that an investigation by computer 
forensics experts at Interhack Corp. in Columbus, Ohio, had determined 
that the missing tape contained data on all 64,467 state employees, 
19,388 former employees and 47,245 Ohio taxpayers.

The data breach is expected to cost the state upwards of $3 million.

Though the administrative services unit was responsible for the data, 
Sylvester said the tape was handled by a number of people from other 
state agencies.

"Part of the problem is [the data] was outside of any one single 
person's hands. There were people who were not full-time tasked to OAKS 
who were coming in from agencies doing data migration and testing and 
introducing data on the drive," said Sylvester. "We believe we had some 
contractors who continued to introduce data on the drive.

"One lesson that the state learned is that we need to throw more 
resources at security and privacy when we have an issue like that," he 
added

A third party brought in from Ohio's Office of Collective Bargaining 
investigated the incident and recommended the penalty, Sylvester said.

"The next time the state takes on a project of this scope, we're going 
to have people on the job whose major responsibility is just data 
security," he added.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Oct 10 2007 - 22:55:13 PDT