Ohio Data Theft: An Early-Spring Order to Encrypt Move Sensitive Info Surfaces NOW?
July 17 18, 6AM — An earlier post headline indicated that the order discussed in this post had to do with encryption when it really had to do with moving sensitive data to a secure location not on the main network. The headline has been corrected; the post is otherwise unaffected. Because the order discussed in the post was not implemented, sensitive info was present in what was stolen. Although it would take specialized knowledge to access the data stolen because of the nature of the device stolen, the data on the device was not encrypted.
____________________________________
Forgive me, but this seems way too convenient (HT RAB):
Workers on the state’s new payroll and accounting system were told in April to remove Social Security numbers and other sensitive information from the main network but didn’t do it, records released yesterday suggest.
As a result, the data ended up on a computer backup tape that was stolen late June 10 or early June 11 from a state intern’s car, affecting more than 1 million people or businesses and costing the state an estimated $2.2 million so far.
Also, on June 15, the 22-year-old intern, Jared A. Ilovar, passed a three-hour polygraph test about the theft, correspondence obtained through a Dispatch public-records request shows.
The records contain an e-mail that David L. White, executive program manager for the Ohio Administrative Knowledge System, sent to four workers April 4 telling them to move sensitive files to a secure part of the system.
“I want all files that can be identified with SSN data put into a secure directory today,” White wrote.
After Gov. Ted Strickland announced June 15 that the backup tape containing sensitive information was stolen, White sent a copy of that April 4 e-mail to Budget Director J. Pari Sabety.
So this order was known by the Director of the Office of Management and Budget, who I believe reports directly to the Governor and not made known to the public until now — and it had to be obtained through a public-records request? Why wasn’t this revealed much, much earlier?
The Office of the Inspector General’s Thomas Charles tells us that his is an independent agency. It had better be looking into how (or if) the Governor was kept in the dark, and how (or if) the supposed order was ignored without follow-up, or it will not be doing its full, “independent” job. If those things are not within his scope, we’ll never learn what we really need to know about the “Who knew what and when?” elements of this episode.
The Governor should be ensuring that this is done — with or without the Inspector General. If it takes an independent OUTSIDE investigation, Mr. Strickland should make it happen. At this point, Ohio’s chief executive appears to the person-on-the-street to either have been systematically kept in the dark by people under him, or to have himself manipulated the release of information to the public. Neither alternative is palatable, but the first would at least exonerate him. If we don’t learn otherwise, anyone who assumes the worse alternative (info release manipulation) would not be out of line.
In either case, identity thieves could have had, and perhaps did have (but we don’t know it yet), a field day with the personal information of those who didn’t learn that their personal information had been compromised 10 days to three weeks earlier than their portion of the data compromise was announced.
___________________________________________
UPDATE: Tammy Obeidallah at The Daily Advocate is acting as if the data IS encrypted (last para):
State officials believe it is unlikely that someone could access the encrypted data, as doing so would require specialized knowledge and equipment.
Zheesh.
___________________________________________
Previous Posts:
- July 13 — The State of Ohio Data Theft — One More Time: Independent. Investigation.
- June 25 — Ohio’s State Data-Theft Update, Including State Contact Info (PLUS: AP’s Unsolicited Damage Control and Dispatch Whitewash)
- June 22 — W-W-W-Wait a Minute: When Did THIS Data-Theft Number Go Up? (Answer: Maybe It Didn’t It Sure Did)
- June 21 — What the ???? (Ohio Data Theft Update; Time for an Independent Investigation)
- June 19 — What the ???? (Stolen State Data Was NOT Encrypted)
The data IS encrypted, you moron. What are you so worried about? It’s not like anyone would steal YOUR lame-o ID!
Comment by Tammy Obeidallah — July 17, 2007 @ 11:27 pm
#1, Let’s see:
- AP, June 19 —
http://www.ohio.com/mld/ohio/news/17388654.htm
“State says data on stolen tape not encrypted; Ohio will spend $700,000 to plug privacy threat, but security measures could have scrambled info†–
- Technology News,June 21 –
http://www.technewsworld.com/story/57968.html
“However, the fact that Ohio didn’t bother to encrypt the information was irresponsible, said Gellman.â€
- Columbus Dispatch, June 17 —
HERE
“The state has confirmed that the data on the stolen tape is not encrypted, and Strickland has issued an executive order calling for the development of a new protocol to encrypt sensitive data.â€
I have revised my headline and content to make it clear that the latest e-mail has to do with data location, and is not related to the lack of encryption that was reported by several outlets back in June.
I look forward to your modifying your report to acknowledge that the data was NOT encrypted.
I also eagerly await your apology for the uncalled-for and immature name-calling…. “I was wrong; I am sorry” will suffice.
Comment by TBlumer — July 18, 2007 @ 6:07 am
These articles are a month old, you ignoramus. Try checking a current source, and try holding your breath for my apology. When you’re blue & gasping, let me know. JACKASS
Comment by Tammy Obeidallah — July 18, 2007 @ 2:51 pm
#3, perhaps you can explain to me, Our Lady of Perpetual Insult, how the data managed to encrypt itself while in the thieves’ hands during the past 30 days or so. I can’t believe I’m even having to type this.
If you need a more recent proof that a miracle hasn’t occurred, try this Google News search. Note how yours is the only report claiming that the data was encrypted.
Your ability and willingness to embarrass yourself appears to have no limit.
Comment by TBlumer — July 18, 2007 @ 3:04 pm
#3, an apology on the facts and the insults is still in order.
The six most therapeutic words in the English langauge are “I was wrong, I am sorry.†Be not afraid. :–>
Comment by TBlumer — July 18, 2007 @ 3:09 pm
You’re a legend-in-your-own-mind whiner on an illegitimate neocon blog. You’re spreading Henny Penny sky-is-falling lies about this “data theft” simply to make Strickland look bad. You’re also bitter because you could never make it in print media. Get a life!!
Comment by Tammy Obeidallah — July 19, 2007 @ 1:15 am
#6, that is truly sad.
Allow me to translate #6 for readers: “I don’t have the integrity to admit that I was wrong when I indicated that the data was not encrypted, so I’m resorting to name-calling, personal attacks, and pseudo-psychoanalysis.”
That’s known as a non-response, Tammy.
Comment by TBlumer — July 19, 2007 @ 5:13 am
From the 4th paragraph of the Executive Summary of the OIG report released July 20:
++++++++++++++++++
http://www.watchdog.ohio.gov/investigations/2007190.pdf
Although OAKS is a $158 million IT project and the State of Ohio is a $52 billion business enterprise, OAKS administrators had not encrypted the data on the stolen backup tape and had authorized a succession of interns to take the tapes home for the previous two years with only an admonition to store the tapes in a safe place.
++++++++++++++++++
That settles that.
Comment by TBlumer — July 24, 2007 @ 10:19 pm