Saturday, June 23, 2007

Data compromise in Ohio reveals the need to be more proactive in protecting information

The practice of sending computer back-up tapes containing a lot of personal/financial information home with interns went on for 2-3 years at a government office in Ohio, according to an article in the Columbus Dispatch.

The Columbus Dispatch is reporting:

In fact, it appears that the former technical manager for the Ohio Administrative Knowledge System didn't use regular state employees -- only two or three interns besides himself -- to take the data home on a rotating basis for safekeeping, said Ron Sylvester, a spokesman for the Ohio Department of Administrative Services.

Apparently, this was part of a security policy, to safeguard the information from fire, or some sort of other disaster.

According to a state policy that officials said was last updated in April 2002, two backup copies were to be made each day of the data in the state's $158 million payroll and accounting system, known as OAKS. The current day's backup tape was to be maintained on site in the network administrator's office, and the previous day's backup tapes were to be taken to the network administrator's home in case of a fire or other disaster at the office.

My question is, can they account for all of these tapes, made daily?

If two tapes a day were made, this would equate to anywhere from 730 to 1095 tapes, at this one agency. If these tapes were routinely backed up and taken home, it wouldn't be hard to make extra copies and not return them.

Of course, someone with the proper knowledge and expertise probably wouldn't have a hard time copying them away from the office, either.

In response to this, the State of Ohio has hired a security firm to look into this matter.
The panel also earmarked up to $100,000 for Interhack Corp. of Columbus to assess the security of the new state accounting setup and to verify that state officials have identified all important data that have been stolen.

Curtin, the founder of Interhack, said it would take time, expertise and money for someone to read the tape. Because the state has notified those whose personal data may be affected, it would be difficult for a thief to use the information, he argued.

"So at this point now, if somebody tries to use the data, they're going to be found out pretty quickly," he said.

According to this report, the data wasn't encrypted, therefore (in theory) it might be not very hard to access it. If the data were encrypted, it would take expertise and money, but it still could be accomplished by someone with the necessary knowledge and ambition to do so.

Organized criminals, who deal in stolen information, have been reported to hire experts, who probably have this "knowledge and expertise."

Even scarier, Mr. Curtin also revealed that this probably wasn't the only agency sending information home:
Curtin said the practice of sending backup data home with employees is fairly common because of the cost involved in hiring a company to do it or using another facility.
Mr. Curtin is probably right that this particular information won't be used anytime in the near future. Criminals would rather use information, nobody knows has been breached. They make (steal) a lot more money that way.

I'd be more worried about information, which might have been easily compromised, that no one knows about yet.

We can all learn something from what happened in Ohio and the key is to start being proactive about how we secure valuable information.

Reacting costs a lot of money, and does little, to solve to overall problem.

Revealing article by the Columbus Dispatch, here.

My original post on the Ohio Data breach, here.

Here is a post about people with the necessary knowledge and expertise to access (hack) information being recruited by organized criminals making a lot of money with stolen information:

IT Students Aren't the Only Human Resources that Internet Criminals Desire

1 comment:

Jeremy Scoville said...

Woah! I didn't know all of this about this story. Now, in most firms, the backup of the backup is usually only kept for thirty days, so it is also possible that the interns took the data home and brought it back with them to recycle the tapes. But we don't know that, nor do we know exactly what information was there.