By Mark Niquette
THE COLUMBUS DISPATCH
June 19, 2007
A state office had been sending backup data tapes home with interns for
two or three years before a tape with sensitive information was stolen
from an intern's car last week, The Dispatch has learned.
In fact, it appears that the former technical manager for the Ohio
Administrative Knowledge System didn't use regular state employees --
only two or three interns besides himself -- to take the data home on a
rotating basis for safekeeping, said Ron Sylvester, a spokesman for the
Ohio Department of Administrative Services.
"On its face, with what we know today, this seems like a questionable
decision," Sylvester said.
State Rep. Jay Hottinger, R-Newark, was more blunt.
"Not since Monica Lewinsky have we seen an intern with such access,"
Hottinger said yesterday after voting with the rest of the state
Controlling Board to spend more than $700,000 to deal with the fallout
so far from the June 10 theft of the backup tape.
The manager, Carl Miller, retired May 31, Sylvester said. Miller, who
records show was hired by the state in 1977 and earned $116,063 last
year, couldn't be reached. His pay worked out to $54.10 an hour; the
intern made $10.50.
Gov. Ted Strickland has confirmed that the tape stolen from intern Jared
A. Ilovar's car holds myriad crucial data, including Social Security
numbers of state employees and their dependents, identities of welfare
recipients plus banking information for school districts, local
governments and others.
According to a state policy that officials said was last updated in
April 2002, two backup copies were to be made each day of the data in
the state's $158 million payroll and accounting system, known as OAKS.
The current day's backup tape was to be maintained on site in the
network administrator's office, and the previous day's backup tapes were
to be taken to the network administrator's home in case of a fire or
other disaster at the office.
But as the project became more active and resources became stretched,
Miller started assigning interns for a week at a time to take a backup
copy home every day, Sylvester said.
Yesterday, the bipartisan Controlling Board voted unanimously to spend
as much as $731,000 for the initial response to the data theft, after
complaining about what Hottinger called the "mind-boggling" policy of
sending sensitive data home with a 22-year-old intern.
The spending includes up to $631,000 for Texas-based Debix Inc. to
provide free-to-employees identity-theft protection and prevention
services for non-university state workers and their dependents who are
enrolled in the state's benefits program.
The cost to the state is $9.75 for each of about 140,000 eligible
employees and dependents who sign up for the service. But Strickland
said he doesn't expect all state workers to use the service because only
about a quarter of those eligible in such situations elsewhere have
About 11,000 state employees and dependents had requested the service as
of yesterday, Sylvester said.
The panel also earmarked up to $100,000 for Interhack Corp. of Columbus
to assess the security of the new state accounting setup and to verify
that state officials have identified all important data that have been
Meanwhile, the investigation of the theft and search for the missing
tape continued yesterday. Nearly 50 State Highway Patrol cadets searched
the area where the theft was reported in Hilliard, and a toll-free tip
line has received five calls, Lt. Tony Bradshaw said.
Budget Director J. Pari Sabety said the administration is considering
offering a reward for the tape.
Strickland has said that there is no evidence the data have been
accessed and that it would take specialized knowledge and equipment to
But experts have said because the sensitive data were not encrypted -- a
step Strickland has now ordered -- it may be possible for the right
person to read the tape.
Curtin, the founder of Interhack, said it would take time, expertise and
money for someone to read the tape. Because the state has notified those
whose personal data may be affected, it would be difficult for a thief
to use the information, he argued.
"So at this point now, if somebody tries to use the data, they're going
to be found out pretty quickly," he said.
School districts and Medicaid providers that potentially could have
their bank accounts revealed were cautious but not overly concerned
As they were encouraged to do by state officials, many school treasurers
notified their banks about the potential exposure.
"The bank account and routing number is on every check we issue so it's
not as much concern as the tax identification number of the district,"
said Bexley Schools Treasurer Chris Essman.
Sylvester has said other entities in state government also have been
sending backup data home with employees, but that the practice was not
widespread and has been stopped.
The backup OAKS tape now is sent daily to a second state facility to be
Curtin said the practice of sending backup data home with employees is
fairly common because of the cost involved in hiring a company to do it
or using another facility.
Dispatch Senior Editor Joe Hallett and reporters James Nash and
Catherine Candisky contributed to this story.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com