By Brian Fonseca
September 11, 2007
A computer forensics expert has uncovered an additional 106,821 pieces
of personal data on a copy of a stolen backup tape removed from the car
of an intern responsible for carrying data used by the Ohio state
government's computer systems. The finding, released in two reports on
Monday by Interhack Corp., arrives three months after the incident
In its report, Columbus, Ohio-based Interhack said the missing backup
tape featured newly discovered names and Social Security numbers of
47,245 individuals; the names and Social Security numbers of 19,388
former state employees; and banking information on less than 100
businesses, according to Ron Sylvester, a spokesman for the Ohio
Department of Administrative Services.
Additionally, the names and federal employee identification numbers of
40,088 businesses were unearthed by Interhack. Information from that
file was being used by the state's Ohio Administrative Knowledge System
(OAKS) to help populate and test E-Controlling Board, a state
Controlling Board business application.
Following Interhack's analysis, Sylvester confirmed that in total more
than 1.3 million pieces of personal data were stored on the stolen
backup tape. The groups affected include state taxpayers, Medicaid
providers, payroll vendors, dependents, students and state government
The incident is expected to cost the state almost $3 million. Of that
total, $2.3 million covers projected and existing enrollment in Debix
Inc. credit protection services. Debix enrollment paid for by the state
for affected individuals will remain open until Oct. 31. Debix
protection will not be extended toward any businesses with information
on the lost backup tape.
At the time of its theft, the missing tape was being used to carry
information from the government's office tower to an off-site location,
where roughly 100 state workers and 100 Accenture employees are
responsible for testing, configuring code and customizing PeopleSoft
applications. That effort is part of Ohio's massive $158 million OAKS
"The particular drive that this tape was used to back up... was the sort
of the testbed drive, so a lot of data was real and historical data
being used to test different parts of the OAKS system -- everything from
payroll functionality to accounting functionality," said Sylvester.
"That's why there were a lot of these files on here, because they were
testing things like cutting purchase orders, paying mileage checks --
all the business processes that the current legacy systems use -- and
making sure the way OAKS was being configured would work."
Since it was a temporary site, a network administrator from the state's
previous administration had decided as part of his business continuity
plan that he would take backup tapes home every night. However,
Sylvester said over time that practice had "devolved" to include interns
taking the tapes home.
When the data breach occurred, he said his administration was unaware of
the backup tape transportation plan.
"Unfortunately, there should have been a different way to handle those
backups in place. The way [the previous administration] was handling
those backups is a very 1980s kind of thing, that's what people use to
do in the old days," said Sylvester.
The Ohio State Patrol was not notified and therefore didn't begin its
investigation of the stolen state government backup tape until three or
four days after the incident occurred. The Hilliard Ohio Police
Department, which was the first law enforcement agency to become aware
of the theft, didn't know about the sensitive data on the tape, so it
only filed a report without an investigation, said Sylvester.
Because of the data breach, an internal review of how backups are
handled across all state government agencies is being conducted. In
cases where tapes are taken off-site, a service is being used to
transport them securely to ensure that employees are not transporting
data in their personal vehicles.
Visit the InfoSec News Bookstore