June 19, 2007

What the ???? (Stolen State Data Was NOT Encrypted)

Filed under: Privacy/ID Theft,Taxes & Government — Tom @ 7:53 pm

Generally agreeing with NixGuy’s take up to this point, I decided not to deal with the state data-theft story because it seemed like an unlucky break, and I wasn’t going to pile on — not when there are, in the big picture, more important stories like the state’s better-off-than-portrayed budget situation and our governor treating an unindicted co-conspirator-with-terror group as if it’s just another religious or civil-rights organization.

After all, the data was encrypted.

“Oops.”

Here what Tech News World reported on Friday, June 15:

Thieves who broke into a car belonging to an intern for the state of Ohio on Sunday no have access to data on all the state’s 64,000 employees — at least theoretically.

The data, which was on a backup device, included the names and Social Security numbers for all employees of the state, Gov. Ted Strickland announced Friday. Fortunately, it was encrypted, Keith Dailey, press secretary for the governor’s office, told TechNewsWorld.

Ohio Highway Patrol has asked that specific details about the computer device and its encryption be withheld so as not to interfere with the investigation, Dailey said.

But today, according to an Associated Press story by Stephen Majors in the Akron Beacon Journal (HT RAB), the story has totally changed:

State says data on stolen tape not encrypted
Ohio will spend $700,000 to plug privacy threat, but security measures could have scrambled info

COLUMBUS – Ohio’s $700,000 response to the theft of a sensitive state computer backup tape from the car of an intern would have been unnecessary had the information been encrypted, a relatively inexpensive process growing more common in the world of information technology, experts said Monday.

Gov. Ted Strickland has said the information on the backup tape — including the names and Social Security numbers of all 64,000 state employees and their dependents — was not encrypted, a process by which data is jumbled into an unrecognizable form through the use of complex mathematical codes. Parts of the tape, however, were protected by password, Strickland’s spokesman said Monday.

OK, I see three possibilities:

  1. Strickland and his spokesmen were misled by lower-level folks about the presence of lack of encryption and they didn’t get caught in their deception until the past day or so.
  2. Strickland et al and/or certain lower-level folks in the food chain don’t know the difference between password protection and encryption, thinking they’re one and the same, and the communication got garbled by the time it got to the governor’s office.
  3. Strickland et al knew the data was not encrypted and, uh, fibbed about it for an entire weekend, giving thousands of people a completely false sense of security that won’t be undone by today’s “oops.” If the Strickland administration has been engaging in uncalled-for news management in the data-theft story by allowing bad news to dribble out instead of releasing it all at once, that would seem to this admitted non-lawyer to be a very serious matter.

I see no way anyone can now claim that this has been handled properly from top to bottom.

We sure ought to start finding out who knew what, and when they knew it. This may be one of those situations calling for an independent investigation.

___________________________________

UPDATE: This snippet from the AP story begs a big question –

Also in response to the theft, Strickland signed an executive order last week calling for a data encryption protocol to be developed within 75 days.

Wait a minute — I thought as of “last week” (June 15 was Friday) that “everyone knew” that the data WAS encrypted — and still thought so for another three days. I suppose the need for an executive order covering data-handling in general might have been considered, but why encryption, if “everyone knew” that encryption wasn’t a problem? The full text of the executive order is at the end of this link.

I sense that there is a lot of story-straightening going on in Columbus tonight.

UPDATE 2: Maybe there’s a fourth possibility, but it seems like a stretch — the Ohio State Highway Patrol might have suggested that the public be told that the data was encrypted so that the thief would return it quickly without trying to access it. I don’t want to be accused of inventing useful excuses, but anyway it seems that this tactic would have been good for the first couple days after the theft (about June 10) IF the public had known about it — which it didn’t. Given that no one outside the inner circle knew of the data theft until Thursday or Friday the 14th or 15th, that attempted explanation doesn’t wash very well. Four or five days is forever in a theft case.

Share

7 Comments

  1. I’m just happy we can now get the inept Republican backup policy from 2002 fixed. We should all be glad in that. You might have just missed that part. I know you try to do a thorough job in your blogging. No worries. Maybe your independent investigation can get to the bottom of the backup policy problem. Let’s hope!

    Comment by Eric — June 19, 2007 @ 8:51 pm

  2. #1, I’m thinking that an independent-counsel type investigation might be warranted to determine why data represented as encrypted for days wasn’t.

    That is totally apart from the state’s back-up policy issues, and you know it (which is among the irritating things about your alleged lines of argument).

    I hear Patrick Fitzgerald might be available soon….

    Comment by TBlumer — June 19, 2007 @ 9:01 pm

  3. If I had to guess I’d say possibility #2 is most likely.

    There’s multiple layers of encryption that could have been involved. The application could have encrypted it, the database could have it encrypted and the backup software itself could have encrypted it.

    It’s not shocking at all to me that it’s not encrypted as the encryption comes at a cost of slower response times. Oftentimes the easier thing to do is to take off the encryption especially when there isn’t enough money to buy the required hardware. Oops.

    Still not Strickland’s fault, except for trying to jump out in front without all the facts.

    Comment by dave — June 19, 2007 @ 9:49 pm

  4. #3, that\’s a pretty big “except,” which if I were Ted and I had been tricked or misled into saying something untrue, I’d be seriously seething and lopping off some heads.

    Comment by TBlumer — June 19, 2007 @ 9:53 pm

  5. [...] BizzyBlog gets into the action on the lost state data.  I point to Bizzy, because I think he makes a good point.  He stayed out of the issue because he thought it was unfortunate.  The handling of the issue, however, by Governor Strickland has been so jumbled, he can remain silent no more.  Bizzy’s major issue at this point is the fact that the Strickland folks said the info was encrypted, but it wasn’t. [...]

    Pingback by Lincoln Logs » Blog Archive » Encryption: Another Strickland Foul Up — June 20, 2007 @ 7:00 am

  6. [...] BizzyBlog had a post yesterday about the state’s stolen data tape not being encrypted, despite the fact that at least one state spokesman was quoted in one outlet saying that the date was encrypted. Bizzy sees three possibilities: [...]

    Pingback by Columbuser.com / More on the stolen data tape — June 20, 2007 @ 12:13 pm

  7. [...] Here’s BizzyBlog: But in my opinion, the need for an independent investigation is there because we don’t know who and what are causing the situation to continually mushroom. It’s making the governor (unfairly, in this case) look like a buffoon. To be finding out 10 days later that what was thought to be encrypted isn’t, what was thought to be locked wasn’t, and that the scope of what was stolen is still growing, is ridiculous. If the game-playing goes high enough (like to the governor’s cabinet? or a handler?), any attempted internal investigation might be compromised. It’s better to have an independent investigation now and clean house than to either never get a handle on what happened or to have the truly guilty parties engineer some kind of fall-guy/gal result. [...]

    Pingback by Columbuser.com / Strickland dribbling out stolen data details — June 21, 2007 @ 11:26 am

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.