Tuesday, June 19, 2007
Bank data on stolen tape
Bank data on stolen tape
Ongoing analysis determines that governments, school districts among those who may be affected
Sunday, June 17, 2007 3:43 AM
By Mark Niquette
THE COLUMBUS DISPATCH
David Foster Dispatch
Gov. Ted Strickland has issued an executive order to develop a program to encrypt sensitive data. The information on the stolen tape was not encrypted.
Data in jeopardy
Types of data confirmed to be on a stolen state backup computer tape so far:
The names and Social Security numbers of all 64,467 non-university state employees.
Names, Social Security numbers, addresses and phone numbers of 53,797 state employees enrolled in the state's pharmacy-benefits management program, plus the names and Social Security numbers of 75,532 dependents. Officials don't think medical information is included.
Bank-account information for school districts and local governments to receive payments from the state. Officials are assuming that all local governments and school districts are included.
Medicaid provider names, tax identification numbers, addresses and bank-account information to receive payments from the state. There are 159,708 records, but officials think many are duplicates because there only are about 77,000 state Medicaid providers.
The names, Social Security numbers and retirement-account numbers for the 1,031 state employees who are part of the State Teachers' Retirement System. This includes current employees and those who have retired since Dec. 21, 2005, who paid into the system.
The banking information, addresses and phone numbers of the 28,362 state employees and vendors who receive electronic payment of expense reimbursements from the state.
Source: Gov. Ted Strickland
Whom to contact
Employees whose names and Social Security numbers were on a stolen computer storage tape are encouraged to go to www.ohio.gov/idprotect or call for recorded information at 1-888-644-6648. The Web site will have any updates regarding enrollment in the free identity-theft protection program the state is providing for one year.
If employees have additional questions, they may also contact their human-resources office or 1-800-267-4474 and 1-877-742-5622 to speak with a customer service representative. The call center will be open as follows:
Today -- 10 a.m to 4 p.m.
Starting Monday -- 8 a.m. to 5 p.m.
Bank-account information for local governments, school districts and certain state employees and vendors was among the data on a computer backup tape stolen from an intern's car last week, Gov. Ted Strickland announced yesterday.
The stolen tape also contains bank-account numbers for Medicaid providers, retirement account numbers for teachers, plus Social Security numbers for more than 75,000 dependents of state employees, the governor said.
And there could be more: Strickland said the state knows other sensitive data is on the tape and an analysis continues. He has scheduled a news briefing today to report any new findings.
"We will continue to inform Ohioans if more sensitive information is found to be included on the data device as soon as that information is confirmed," he said.
Administration officials aren't speculating about what risk having the bank-account information or other data confirmed to be on the tape so far may pose if it is accessed.
Strickland continued to say yesterday that there is no evidence the data has been used, and that it's unlikely the tape could be accessed without specialized knowledge or equipment.
But even the possibility of having such information fall into the wrong hands -- especially in combination with other personal data -- is a concern, said Mike Adelman, vice president of state government relations for the Ohio Bankers League.
"Clearly, that is a pretty serious matter," he said. "Banks work really hard to protect that information, and any sort of breach like this will have to put us (at) heightened awareness."
In the meantime, the State Highway Patrol said yesterday there are no new leads in the investigation into the theft, and a toll-free tip line has been established to report any information about the stolen tape or thief (1-877-OHS-INTEL or 614-799-3555).
Strickland called a news conference Friday to announce that the data tape had been stolen June 10 from the car of a 22-year-old state intern who was assigned to take it home for safekeeping but apparently left it in his unlocked car.
At the time, the governor said he was confident that the only sensitive information on the tape was the names and Social Security numbers of all 64,467 non-university state employees.
But Strickland then announced about 11:15 p.m. Friday that additional analysis of another backup tape found that personal data for employees enrolled in the state's pharmacy-benefits management program and their dependents also were on the stolen tape.
That includes names, Social Security numbers, addresses and phone numbers of 53,797 employees enrolled in the program as well as the names and Social Security numbers of 75,532 dependents, the governor said.
The state is offering free identity-theft monitoring and protection services to state employees and has extended it to cover dependents.
Strickland said yesterday that he reported what he thought to be accurate information Friday morning in good faith, but that he was notified Friday night that the situation was worse.
"Obviously, I feel badly this has happened," the governor said. "I am trying to deal with this in a way that is transparent and is responsive to what it is we can do to mitigate any harm that could be done."
Budget Director J. Pari Sabety said that from Monday, when the theft was discovered, through Thursday morning, two state workers performed an automated search of a second backup tape using keywords to identify sensitive information.
But on Friday, when 10 state workers started examining the files and the raw computer data directly, they began discovering other types of personal data.
That process continues, and 18 workers now are poring over the data, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. It's not clear when the analysis will be complete, he said.
Strickland said yesterday he doesn't want to make a "scapegoat" out of the intern, Jared A. Ilovar.
He was one of four workers who took the backup data home each night on a rotating basis from a temporary worksite for the Ohio Administrative Knowledge System, the state's new $158 million payroll and accounting system.
The policy, established in 2002 before Strickland took office, called for keeping one backup tape on site and having a second backup taken off site in case of a fire or other disaster.
But Ilovar apparently left the tape in his unlocked car in the parking lot at his Hilliard apartment. Hilliard Sgt. James M. Redmond has said the break-in appears to have been random.
Greg Knieriemen, vice president of Chi Corp., a suburban Cleveland company that specializes in data storage, backup and protection, said any protocol sending backup copies home with an employee is "way out of date."
Knieriemen, whose firm's clients include the state of Nevada and Ohio State University, also disputed Strickland's claim that it would be difficult to access personal information on the stolen tape. Without a high level of encryption, the information on the tape could be readily retrieved, he said.
"Everything that's tape-formatted, if it's not encrypted, can be read by basic computer software," Knieriemen said. "If it wasn't encrypted, (Strickland's) statement is pretty much a stretch."
The state has confirmed that the data on the stolen tape is not encrypted, and Strickland has issued an executive order calling for the development of a new protocol to encrypt sensitive data.
Strickland also has asked the Ohio Inspector General to investigate both the circumstances surrounding the theft and the state's response.
But that's not much comfort for state employees concerned about identity theft.
"Of course I'm worried," Benjamin Odita, an employee at the Department of Mental Retardation and Developmental Disabilities, said on Friday. "There should be sufficient security in place. Somebody is slipping."
Dispatch Senior Editor Joe Hallett and reporter Alan Johnson contributed to this story.
Ongoing analysis determines that governments, school districts among those who may be affected
Sunday, June 17, 2007 3:43 AM
By Mark Niquette
THE COLUMBUS DISPATCH
David Foster Dispatch
Gov. Ted Strickland has issued an executive order to develop a program to encrypt sensitive data. The information on the stolen tape was not encrypted.
Data in jeopardy
Types of data confirmed to be on a stolen state backup computer tape so far:
The names and Social Security numbers of all 64,467 non-university state employees.
Names, Social Security numbers, addresses and phone numbers of 53,797 state employees enrolled in the state's pharmacy-benefits management program, plus the names and Social Security numbers of 75,532 dependents. Officials don't think medical information is included.
Bank-account information for school districts and local governments to receive payments from the state. Officials are assuming that all local governments and school districts are included.
Medicaid provider names, tax identification numbers, addresses and bank-account information to receive payments from the state. There are 159,708 records, but officials think many are duplicates because there only are about 77,000 state Medicaid providers.
The names, Social Security numbers and retirement-account numbers for the 1,031 state employees who are part of the State Teachers' Retirement System. This includes current employees and those who have retired since Dec. 21, 2005, who paid into the system.
The banking information, addresses and phone numbers of the 28,362 state employees and vendors who receive electronic payment of expense reimbursements from the state.
Source: Gov. Ted Strickland
Whom to contact
Employees whose names and Social Security numbers were on a stolen computer storage tape are encouraged to go to www.ohio.gov/idprotect or call for recorded information at 1-888-644-6648. The Web site will have any updates regarding enrollment in the free identity-theft protection program the state is providing for one year.
If employees have additional questions, they may also contact their human-resources office or 1-800-267-4474 and 1-877-742-5622 to speak with a customer service representative. The call center will be open as follows:
Today -- 10 a.m to 4 p.m.
Starting Monday -- 8 a.m. to 5 p.m.
Bank-account information for local governments, school districts and certain state employees and vendors was among the data on a computer backup tape stolen from an intern's car last week, Gov. Ted Strickland announced yesterday.
The stolen tape also contains bank-account numbers for Medicaid providers, retirement account numbers for teachers, plus Social Security numbers for more than 75,000 dependents of state employees, the governor said.
And there could be more: Strickland said the state knows other sensitive data is on the tape and an analysis continues. He has scheduled a news briefing today to report any new findings.
"We will continue to inform Ohioans if more sensitive information is found to be included on the data device as soon as that information is confirmed," he said.
Administration officials aren't speculating about what risk having the bank-account information or other data confirmed to be on the tape so far may pose if it is accessed.
Strickland continued to say yesterday that there is no evidence the data has been used, and that it's unlikely the tape could be accessed without specialized knowledge or equipment.
But even the possibility of having such information fall into the wrong hands -- especially in combination with other personal data -- is a concern, said Mike Adelman, vice president of state government relations for the Ohio Bankers League.
"Clearly, that is a pretty serious matter," he said. "Banks work really hard to protect that information, and any sort of breach like this will have to put us (at) heightened awareness."
In the meantime, the State Highway Patrol said yesterday there are no new leads in the investigation into the theft, and a toll-free tip line has been established to report any information about the stolen tape or thief (1-877-OHS-INTEL or 614-799-3555).
Strickland called a news conference Friday to announce that the data tape had been stolen June 10 from the car of a 22-year-old state intern who was assigned to take it home for safekeeping but apparently left it in his unlocked car.
At the time, the governor said he was confident that the only sensitive information on the tape was the names and Social Security numbers of all 64,467 non-university state employees.
But Strickland then announced about 11:15 p.m. Friday that additional analysis of another backup tape found that personal data for employees enrolled in the state's pharmacy-benefits management program and their dependents also were on the stolen tape.
That includes names, Social Security numbers, addresses and phone numbers of 53,797 employees enrolled in the program as well as the names and Social Security numbers of 75,532 dependents, the governor said.
The state is offering free identity-theft monitoring and protection services to state employees and has extended it to cover dependents.
Strickland said yesterday that he reported what he thought to be accurate information Friday morning in good faith, but that he was notified Friday night that the situation was worse.
"Obviously, I feel badly this has happened," the governor said. "I am trying to deal with this in a way that is transparent and is responsive to what it is we can do to mitigate any harm that could be done."
Budget Director J. Pari Sabety said that from Monday, when the theft was discovered, through Thursday morning, two state workers performed an automated search of a second backup tape using keywords to identify sensitive information.
But on Friday, when 10 state workers started examining the files and the raw computer data directly, they began discovering other types of personal data.
That process continues, and 18 workers now are poring over the data, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. It's not clear when the analysis will be complete, he said.
Strickland said yesterday he doesn't want to make a "scapegoat" out of the intern, Jared A. Ilovar.
He was one of four workers who took the backup data home each night on a rotating basis from a temporary worksite for the Ohio Administrative Knowledge System, the state's new $158 million payroll and accounting system.
The policy, established in 2002 before Strickland took office, called for keeping one backup tape on site and having a second backup taken off site in case of a fire or other disaster.
But Ilovar apparently left the tape in his unlocked car in the parking lot at his Hilliard apartment. Hilliard Sgt. James M. Redmond has said the break-in appears to have been random.
Greg Knieriemen, vice president of Chi Corp., a suburban Cleveland company that specializes in data storage, backup and protection, said any protocol sending backup copies home with an employee is "way out of date."
Knieriemen, whose firm's clients include the state of Nevada and Ohio State University, also disputed Strickland's claim that it would be difficult to access personal information on the stolen tape. Without a high level of encryption, the information on the tape could be readily retrieved, he said.
"Everything that's tape-formatted, if it's not encrypted, can be read by basic computer software," Knieriemen said. "If it wasn't encrypted, (Strickland's) statement is pretty much a stretch."
The state has confirmed that the data on the stolen tape is not encrypted, and Strickland has issued an executive order calling for the development of a new protocol to encrypt sensitive data.
Strickland also has asked the Ohio Inspector General to investigate both the circumstances surrounding the theft and the state's response.
But that's not much comfort for state employees concerned about identity theft.
"Of course I'm worried," Benjamin Odita, an employee at the Department of Mental Retardation and Developmental Disabilities, said on Friday. "There should be sufficient security in place. Somebody is slipping."
Dispatch Senior Editor Joe Hallett and reporter Alan Johnson contributed to this story.
# posted by raveneye @ 11:47 AM 
