Saturday, June 16, 2007

Ohio data breach reveals how "not very secure" personal information is

I discovered a long time ago, it would be pretty hard to keep up with all the data-breaches. After all, they seem to happen with alarming frequency.

The most recent blunder, enabled by a State of Ohio security procedure, illustrates how not very secure a lot of personal information is.

Stephen Majors of the AP (courtesy of Forbes) is reporting:

A 22-year-old intern was given the responsibility of safeguarding the personal information of thousands of state employees, a security procedure that ended up backfiring.

The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car, Gov. Ted Strickland said Friday.

Interesting, a security procedure that backfired?

The AP story gives more details on this:

Under protocol in place since 2002, a first backup storage device is kept at a temporary work site for a state office along with the computer system that holds all the employee information, and a second backup device is given to employees on a rotating basis to take home for safekeeping, officials said
I guess this means that rotating employees have the ability to take this "storage device" home -- and if any of them happened to be dishonest -- it wouldn't be very hard to make a copy. Information is bought and sold by data-brokers, and criminals, alike. The reason for this is because it makes them a lot of money.

Of course, the official spin artists, aren't stating exactly what the device is. The Police report states that it's worth about $15, which isn't very expensive, and therefore probaby isn't very secure (my guess).

Governor Strickland was quoted in the article as saying:

"I don't mean to alarm people unnecessarily." "There's no reason to believe a breach of information has occurred."
Sadly enough, this might make sense -- when information is protected like this, it probably could have been copied long ago -- and no one would know any better. It wouldn't be necessary to go through all the trouble of breaking into a car to steal it.

With security like this, the information could have been compromised a long time ago.

Governor Strickland's site, which offers the "official spin" and free identity theft protection for the most recently "compromised," can be seen, here.

AP Story, here.

The Privacy Rights Clearinghouse and Attrition.org do have people, who have the time to keep up on all the data-breaches, in case anyone wants to take a detailed look at the problem.

This information is worth money, here is a post about how it is being sold right on the Internet:

Information Week exposes the Internet Underworld

Insider theft is nothing new, and should be a concern when protecting information. As long as information is worth a lot of money, insiders will probably be solicited for it. Here is a post, I wrote about this matter:

Why it's become TOO easy for restaurant workers to skim payment cards

1 comment:

daniel said...

Shows how people can be so stupid with someone's Info.
FTGF!