By Matt Reed
June 17, 2007
COLUMBUS, Ohio - The state has hired a computer security expert who
specializes in civil and criminal cases to determine the likelihood of
someone getting access to the data on a stolen backup storage device,
Gov. Ted Strickland said Sunday.
Matthew Curtin, 34, will begin Monday reviewing what's already known is
on the device, whose theft was revealed on Friday.
Also on Sunday, Strickland said the device contained the names and case
numbers of the state's 84,000 welfare recipients, who face "a remote
threat of identity theft," and the names and federal tax identification
number of vendors that receive payroll deduction payments from the state
- about 1,200 records. Sixteen of those records contain banking
information, he said.
Strickland said the Ohio Department of Commerce on Monday would send
letters to banks, credit unions and other financial institutions
alerting them that customers' information may have been compromised.
Previously, it was revealed the device contained the names and Social
Security numbers of all 64,000 state employees. It also contained bank
account information about the state's school districts and Medicaid
providers and information about 53,797 people enrolled in the state's
pharmacy benefits management program and the names and Social Security
numbers of about 75,532 dependents.
Strickland again said that he has no reason to believe the information
has been compromised because getting it requires special equipment and
expertise. He also has issued an executive order to change the
procedures for handling state data. Strickland and Curtin said the
analysis of what's on the device should be finished on Monday.
"The analysis of the data is nearly complete, but we have several
additional files that are so complex that it will take some time,"
Strickland said at a Statehouse news conference on Sunday - his third in
Curtin founded Interhack Corp. in Columbus 10 years ago. "We make the
bad guys give up," the company says on its Web site. Curtin said he
would have a better idea on how someone could get access to information
on the device on Monday.
"We've just, just gotten started," Curtin said Sunday. "By tomorrow,
I'll have some insight and have my hands around it."
The State Highway Patrol also announced Sunday that a post office box
had been established in Columbus in hopes that the storage device would
be returned anonymously.
The device - listed in a police report from suburban Hilliard as being
worth $15 - was reported stolen along with a $200 radar detector, out of
the car of 22-year-old Jared Ilovar, a college senior making $10.50 an
hour in his state job. Ilovar is an intern with the Office of Management
and Budget assigned to work on the state's $158 million payroll and
accounting system. Telephone and e-mail messages seeking comment were
left for Ilovar.
Strickland said Ilovar mistakenly left the device in a vehicle parked
outside an apartment when it was supposed to be taken into his home as
part of a protocol in place since 2002.
Sol Bermann, chief privacy officer at state Office of Information
Technology, called Curtin one of the country's foremost data security
"It's a third-party validation of our work. It's important that someone
double-checks for us so that nothing is missed."
The state is expected to pay $50,000 to Curtin, who said he doesn't know
how long his investigation will take.
Associated Press Writer John McCarthy contributed to this report
ON THE NET
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com