June 25, 2007

Ohio’s State Data-Theft Update, Including State Contact Info (PLUS: AP’s Unsolicited Damage Control and Dispatch Whitewash)

I updated last Thursday’s later related post with what was, and I believe still is, the complete roster of those affected. The data theft occurred, per this Thursday Cincinnati Enquirer article, when “a 22-year-old college intern (was) asked to take a backup computer device home for the weekend, only to have it lifted from his unlocked car in the parking lot of a Hilliard apartment complex.”

I’ll repeat the roster here, and follow it with the latest info on what people should do.

The roster, as of last Thursday evening (I looked for additional updates over the weekend and didn’t find anything new):

“Old News” —
- 64,000 state employees and 75,500 of their dependents.
- 77,000 Medicaid providers.
- 84,000 recipients of Temporary Assistance for Needy Families.
- Unspecified school district and local government bank accounts.

(The last one doesn’t affect consumers directly, but is a potentially HUGE problem, especially at school districts, whose vigilance may have relaxed during the summer and/or during Finance Directors’ vacations. Every affected school district and local government bank account should be closed and replaced with a new one — Ed.)

Considered “new” victims per the Enquirer article –
- About 225,000 taxpayers with uncashed state or local income tax refunds going back to 2005.
- 602 Ohio Lottery winners who have not cashed checks during the past three months; their names and Social Security numbers also were on the device.
- 2,488 Ohioans who have not cashed checks for unclaimed fund payments.
- Up to 1,000 Ohioans whose electronic fund transfers of state payments failed to go through to their bank.

The total works out to a little less than 520,000.

The Enquirer article also references “338,634 files of data.” Presumably some files had multiple individuals’ data.

As to what to do, the state is advising the following:

Taxpayers with refunds issued in 2005, 2006 and through May 29 (2007) can check www.ohio.gov/idprotect or call 888-644-6812 for updates. For a live person or computer access help, call 800-267-4474, Monday-Friday, 8 a.m.-5 p.m.

The state will pay for a year’s identity theft protection.

All 225,000 taxpayers also are being notified by mail and told how to set up an ID protection account.

The site appears to do a good job of providing the necessary guidance and supplemental warnings. Don’t forget that thieves posing as government officials sometimes try to capitalize on situations such as this one by contacting potential victims and tricking them into giving up their personal information.


UPDATE: On Saturday, Stephen Morse of the Associated Press did a report (“Experts: Small risk of identity theft”) that reads more like damage control than a solid consumer-advice piece:

….. the sheer amount of information – including the names and Social Security numbers of nearly 400,000 people – means that the state employees, taxpayers and others unlucky enough to be on the tape are actually at a very low risk of having their identities stolen, experts said.

A company that has studied data breaches said personal information is at much greater risk when a particular person or small group of people is targeted – an everyday occurrence with no public announcement to scare away potential thieves.

You are much more at risk if someone goes through your garbage can than if you are part of a large data breach, said Thomas Oscherwitz, vice president of government affairs and chief privacy officer for San-Diego based ID Analytics.

“In that case you are a targeted victim as opposed to a large population where it will be difficult for a fraudster to go through that list,” Oscherwitz said.

It then refers to a study of four big data breaches covering about 500,000 consumer identities, which concluded that “Less than one-tenth of 1 percent, or one in 1,000 identities, was subjected to fraud in the breach the company described as an intentional target by identity thieves.”

The problems with that conclusion are that:

  • It surely looked at only a limited time period after the breaches (perhaps a year).
  • The fact that the thieves successfully used up to almost 500 identities (“less than one-tenth of 1%”) means that they probably could have used more of them, but were perhaps skimming the cream of the victim crop.
  • The information, if accessed, can be sold on the black market, including overseas. People can be victimized long after the one year of ID-theft protection expires. I would be particularly concerned about the dependents in the list above. To be fair, Morse’s article notes what follows, but not until the very end. Other outlets carrying the story edited out the info — example here.

I feel that Morse’s report provided too much comfort in the circumstances.

UPDATE 2: Columbus Dispatch reporters Strickland Administration mouthpieces Joe Hallett and Mark Niquette totally missed the point in their report yesterday, and in my opinion deliberately (bolds are mine) –

“There was absolutely no negative consequence of any part of our response save the delay in notifying the Highway Patrol,” he (Strickland) said, possibly allowing the trail to grow cold.

The reason for the delay, he said, is that he wasn’t told of the missing tape quickly enough.

Oh, that’s all. (/sarcasm)

Actually, that’s not all:

Budget Director J. Pari Sabety has said that after the theft was discovered, two state workers conducted an automated search of the second backup tape for four days, using keywords to identify sensitive information. It wasn’t until the fifth day that a team of workers started actually examining the data directly.

Geez, why didn’t they copy the data and go through both procedures at the same time? Hallett and Niquette would be ripping a GOP administration limb from limb for what’s described here.

And we’re still taking everyone’s word for what they’re saying. Given the embarrassment the governor and the state have suffered, that’s not good enough. Again: Independent, investigation.


1 Comment

  1. What I like is the complete disconnect between the above-the-fold, front page headline: Governor praised for theft response (http://www.dispatch.com/dispatch/content/local_news/stories/2007/06/24/tedreact.ART_ART_06-24-07_A1_GV73OFQ.html)
    and the actual article. All the irrelevant fluff is on the front page, and the actual criticism (i.e. truth) is buried on the bump page. For example: “the governor made the crisis more difficult for himself by ‘under-reporting’ and ‘over-reassuring’ the public. Strickland told the press and public on June 15, the day the theft was announced, that officials were confident the stolen tape contained only the names and Social Security numbers of state workers.

    “Less than 12 hours later, the administration had to concede that more-sensitive data was on the tape.

    “The news got worse as last week wore on, including revelations that the personal data of about 225,000 Ohioans who have not cashed state tax-refund checks are on the stolen tape.”

    Describing this as a “crisis” and shows Strickland’s “crisis management skills” is a bit overthe top; but I suspect nothing less from Strickland’s poodles, Hallett and Niquette, and The Disgrace.

    Comment by Joe C — June 25, 2007 @ 11:21 am

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.