Ohio Data Leak Follows The 'Worse Than First Thought' Plan
from the working-for-you dept
It’s pretty much par for the course that when a data leak gets disclosed, it’s followed up a few weeks later with another announcement revealing that even more people’s information was lost than first thought. Whether that’s because it takes some time to figure out the extent of losses or is just a PR ploy is open for debate. In any case, you might remember the recent case in Ohio, where the personal information of all the state’s 64,000 or so employees was lost when a storage device containing it was stolen out of an intern’s car. True to form, the state’s governor has issued an update, revealing that it’s not just the state employees whose info was stolen, but a total of about 500,000 people, including welfare recipients, state employees’ dependents, and taxpayers with uncashed income tax refunds. We noted earlier that the intern had the device as part of the state’s security protocol, in which employees rotated taking backups home with them in case data on the state’s system was lost. While storing backups off-site has some merit, this incident highlights the idiocy of just passing out devices to employees and having them take them home, rather than storing them in some more secure manner. The state has now ordered an end to the practice, while the state police have set up a post office box “in hopes that the storage device would be returned anonymously.” Somehow, given the great job state officials have done to advertise the potential value of the device, that seems pretty unlikely.
Comments on “Ohio Data Leak Follows The 'Worse Than First Thought' Plan”
Offsite storage does not mean taking it home!
I mean really. A previous article says that this is not uncommon practice for business. What businesses are those? Perhaps a mom-and-pop shop that keeps it’s records on a PC in the back. They might back up the PC and take the backups home, but that would be the limit.
Any business worth it’s stock prices will have a paid off-site provider who stores these backups in a climate controlled facility, secure and protected.
On another matter. How easy is it to read this data? The article also mentions that the data is “difficult to comprehend” and could not be read without specialized equipment. Does this mean the data is encrypted? If so, I hope the password wasn’t chosen by someone who thinks his/her kid’s name and a random number is a good idea of a password…
EtG
Maybe Ohio should try my free off-site distributed backup plan: I put my files in password protected rar files with names like “some_celebrity_stolen_sex_tape!.rar” and put them up on the file-sharing networks. Man, they never go away then.
I’d say what I do with my protected files – but then they wouldn’t be so protected… lol
And yeah – to a clueless computer user a file with the extention ‘.XLS’ might be “difficult to comprehend” – but to anyone who knows what an excel file is… well..
It might be ‘difficult’ for the Governor to comprehend, but I daresay anyone who’s worked on PC’s a while could figure it out.
All I need is another reason to love this state!
It’s news of such complete idiocy and incompetence that really makes me proud to be an Ohio tax payer and former employee. It would laughable if such things weren’t such a common occurrence here!
oh, it happened in Ohio, but I would bet 49 other states just went “someone find out what we do and fix it!”
One of the many reasons I left the Great State of Ohio. Unfortunately, that didn’t prevent my personal information from being included on said backup device (confirmed a couple days ago).
My guess, from working at the department that lost this “backup device,” (circa Y2K, so don’t quote me as being anything close to an official statement) was that it was a sql dump, or in-place hot backup. For those who are playing at home, the former is very EASY to read. The later is a little harder to read, as it requires you to get a copy of the fairly common, but kinda pricey software first. I don’t know if a student/free copy of the software (I honestly don’t remember if it was Oracle, or Sequel) would allow you to recover from a hot backup, or not.
When I was working there, I do remember security having a very high PR value, and a very low practicality implementation. That being said, encryption was probably NOT implemented.
Re: Re:
Price wouldn’t matter, they’d just get a torrent or some other p2p version of it
why
WHY does an intern need all that info. Why would that info ever need to be copied to a local drive. Why isnt that data safe in a database somewhere.
Re: why
its explained in the article why the intern had the info…
It's been all over the news here in Columbus
From everything that I’ve seen on the news, it was simply a backup tape of a server or servers. That being the case, you would need a copy of the same (or compatible) backup software to read the tape. Additionally, the tape that they have been showing the news that supposedly is an exact duplicate isn’t your stand LTO, SDLT, or DAT tape. It looked like one of the older and far more uncommon QIC formats, except that the tape cartridge was about the size of a VHS tape. Having worked in IT consulting for the past 10 years, I’ve only ever seen one other company who used the same kind of backup device.
In that sense, it probably would take a fair amount of effort to recover anything from the tape cartridge, as you would need to have a computer to restore the data to, a device capable of reading the cartridge, and software capable of reading the backup format. It’s not quite as straightforward as pulling data from a stolen laptop or USB hard disk, but it’s certainly well within the capabilities of someone who is actively pursuing said data. The only question is whether it was stolen by an opportunistic thief or if it was a targeted theft.
Just Stupid or Criminal
I got notification from the state today that my information may have been lost or stolen (it was stolen and now is lost), but who’s that picky. There is a saying in IT, some things are just stupid and others are criminal… I would put this category in the criminal category. R. Steve Edmonson State of Ohio, Chief Information Officer, has a quotes on his site saying “I look forward to ensuring that we make the best use of the technological resources available to our state for the benefit of all Ohioans,”… looks like he made the information a little too available. Mr. Edmonson, I’ll look for your resignation soon.
The warning bell...
You know the one… MOST of us have it. That little warning voice in your head that says “Hey, maybe this isn’t the best idea, there’s been a lot a data ‘lost’, is having a backup tape in my Gremlin really that secure?” What has happened to that little voice of reason in these folks! lol
One hell of a state backup system, where even the intern have a turn at taking home everyones data.
Obviously never worked for government...
Thinking isn’t encouraged, nurtured, or allowed in government positions, those higher up expect those below them to do whatever they say regardless of how stupid or inane it may be, after all that’s why they are at the top, right, so they can tell other people what to do.
Those on the bottom don’t have any choice but to do what they are told, ‘thinking’, ‘offering ideas’, or ‘attempting to insert a modicum common sense’ are all likely to get you fired if you work for the government. However being an incompetent moron is likely to get you promoted, since they wouldn’t want you actually doing anything important and messing it up, so they will just put you in charge so you can make other ‘screw up’ when they follow your advice, and then you can bring down the hammer and fire them, thereby proving that you actually did something useful (government managers will read this and think, yeah, so? without ever stopping to realize how screwed up things really are)
Likely scenario:
Intern – Hey we should have offsite storage of our backup material, in the event of a disaster or system crash. Here’s a great provider I looked up, they handle secure transportation, guarantee the media is stored in a safe environment, and even provide on-call recovery services in the event that they are needed. Here’s the complete proposal and supporting documentation.
Manager (in board meeting) – I’ve decided that we need to implement offsite storage of our backup tapes, and our Intern has graciously volunteered to ‘handle’ everything (meaning that the intern will get stuck sloggin the media around, not that the intern’s idea/recommendation will get implemented). A month later when the inevitable happens and the tape is lost…. Fire the Intern, blame them for the entire idea, then sit back rejoice in how well you ‘fixed’ things (ignoring the fact that you caused the entire situation – acceptance of fault in government jobs is limited, nobody is willing to admit they did anything wrong), while continuing to rake in the big bucks for doing all the ‘hard’ work.
Can you tell I’m not very happy with the way things work at my government job?
They say that sufficiently advanced incompetence is indistinguishable from malice. Nowhere is this more clear that government IT. – Unknown
And another one
Another Ohio state employee had a laptop stolen recently.