June 22, 2007

W-W-W-Wait a Minute: When Did THIS Data-Theft Number Go Up? (Answer: Maybe It Didn’t It Sure Did)

Filed under: Privacy/ID Theft, Taxes & Government — TBlumer @ 10:15 am

Last I heard, the state had lost data relating to about 67,000 employees and 225,000 others, or roughly 300,000.

The press is reporting that the number has inexplicably jumped (bold is mine):

(AP Article published Friday, June 22, 2007)
Report prepared in Strickland transition warned of data risk

COLUMBUS, Ohio — Months before a computer device containing the Social Security numbers and other personal information of more than 500,000 Ohioans was stolen from an intern’s car, the state was warned it was vulnerable to data theft, The Columbus Dispatch reported Friday.

Before he took office in January, Gov. Ted Strickland asked teams of experts to evaluate key areas of state government and submit findings and recommendations.

The team studying the Office of Information Technology concluded the state had “little to no policy guidance or standards” for protecting Social Security numbers and other sensitive information, according to a report prepared as part of Strickland’s transition team.

“Ohio’s lack of a robust, unified privacy/security capacity lays it open to the type of data spills and breaches that have been plaguing the government and the corporate sectors in increasing numbers over the past few years,” the report said.

The report concluded the state needed clear policy and standards set in cooperation with the Legislature, plus proper monitoring and auditing, or the danger of a data breach “will continue to grow.”

When did the number of those affected go from 300,000 to 500,000? It’s not an AP typo: The Dispatch report AP refers to also reports the number as 500,000, but I believe they’re double-counting:

The Ohio Department of Taxation provided a list yesterday showing that the list of affected taxpayers contains 210,930 individuals and 224,058 checks because some people received both refund checks.

Zheesh — If Dispatch reporter Mark Niquette added the “individuals” and the “checks” to the affected state employee count of about 67,000 to get to about 500,000 “Ohioans,” he’s definitely double-counting. The correct number of affected individuals may still be roughly 300,000 (June 23 — see Update below).

Regardless of whether it’s 300,000 or 500,000, I believe the Dispatch article is understating the cost, which it still pegs at about $900,000. Since the state has extended its offer of assistance to all affected, the final cost could be as high as $3 million - $5 million, assuming about $10 per affected person for a year of credit monitoring, plus the state’s administrative costs.

As suspected earlier, there is some ability for the current crew to blame the past one. But the the Dispatch report notes that the problem has been flagged for about six months, which should have been more than enough time for the administration to at least have done something. But it appears little if anything was done until Governor Strickland issued his June 15 Executive Order.

But the big issue that remains is how the known scope of the problem grew in the days after the data theft. Two words describe what’s needed ASAP: Independent Investigation.

_____________________________________

UPDATE, June 23 — The complete roster of affected people, assembled from this Cincinnati Enquirer article Thursday evening, includes:

- 64,000 state employees and 75,500 of their dependents.
- 77,000 Medicaid providers.
- 84,000 recipients of Temporary Assistance for Needy Families.
- Unspecified school district and local government bank accounts.
- (considered “new” victims in the Enquirer article) About 225,000 taxpayers with uncashed state or local income tax refunds going back to 2005
- (considered “new” victims in the Enquirer article) 602 Ohio Lottery winners who have not cashed checks during the past three months; their names and Social Security numbers also were on the device.
- (considered “new” victims in the Enquirer article) 2,488 Ohioans who have not cashed checks for unclaimed fund payments.
- (considered “new” victims in the Enquirer article) Up to 1,000 Ohioans whose electronic fund transfers of state payments failed to go through to their bank.

The total works out to just short of 520,000.

The Enquirer article also references “338,634 files of data.” Presumably some files had multiple individuals’ data.

_____________________________________

Previous Posts:
- June 21 — What the ???? (Ohio Data Theft Update; Time for an Independent Investigation)
- June 19 — What the ???? (Stolen State Data Was NOT Encrypted)

2 Comments

  1. Death by slow bleed. I wonder if that is the last figure. But of course the slow string along makes for interesting reading.

    Comment by Conservative Culture — June 23, 2007 @ 10:46 am

  2. #1, they definitely saved “the best” for last, which is enough to make you wonder if the news dribble-out HAS been managed. By the time they got to the stuff affecting the most people (the tax refunds), information fatigue had set in on the week-plus-old story. Perhaps another reason for what already justifies the need for an independent investigation.

    Comment by TBlumer — June 23, 2007 @ 10:00 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.