Ohio Data Leak Follows The 'Worse Than First Thought' Plan
from the working-for-you dept
It's pretty much par for the course that when a data leak gets disclosed, it's followed up a few weeks later with another announcement revealing that even more people's information was lost than first thought. Whether that's because it takes some time to figure out the extent of losses or is just a PR ploy is open for debate. In any case, you might remember the recent case in Ohio, where the personal information of all the state's 64,000 or so employees was lost when a storage device containing it was stolen out of an intern's car. True to form, the state's governor has issued an update, revealing that it's not just the state employees whose info was stolen, but a total of about 500,000 people, including welfare recipients, state employees' dependents, and taxpayers with uncashed income tax refunds. We noted earlier that the intern had the device as part of the state's security protocol, in which employees rotated taking backups home with them in case data on the state's system was lost. While storing backups off-site has some merit, this incident highlights the idiocy of just passing out devices to employees and having them take them home, rather than storing them in some more secure manner. The state has now ordered an end to the practice, while the state police have set up a post office box "in hopes that the storage device would be returned anonymously." Somehow, given the great job state officials have done to advertise the potential value of the device, that seems pretty unlikely.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Offsite storage does not mean taking it home!
Any business worth it's stock prices will have a paid off-site provider who stores these backups in a climate controlled facility, secure and protected.
On another matter. How easy is it to read this data? The article also mentions that the data is "difficult to comprehend" and could not be read without specialized equipment. Does this mean the data is encrypted? If so, I hope the password wasn't chosen by someone who thinks his/her kid's name and a random number is a good idea of a password...
EtG
[ link to this | view in thread ]
[ link to this | view in thread ]
And yeah - to a clueless computer user a file with the extention '.XLS' might be "difficult to comprehend" - but to anyone who knows what an excel file is... well..
It might be 'difficult' for the Governor to comprehend, but I daresay anyone who's worked on PC's a while could figure it out.
[ link to this | view in thread ]
All I need is another reason to love this state!
[ link to this | view in thread ]
[ link to this | view in thread ]
My guess, from working at the department that lost this "backup device," (circa Y2K, so don't quote me as being anything close to an official statement) was that it was a sql dump, or in-place hot backup. For those who are playing at home, the former is very EASY to read. The later is a little harder to read, as it requires you to get a copy of the fairly common, but kinda pricey software first. I don't know if a student/free copy of the software (I honestly don't remember if it was Oracle, or Sequel) would allow you to recover from a hot backup, or not.
When I was working there, I do remember security having a very high PR value, and a very low practicality implementation. That being said, encryption was probably NOT implemented.
[ link to this | view in thread ]
why
[ link to this | view in thread ]
It's been all over the news here in Columbus
In that sense, it probably would take a fair amount of effort to recover anything from the tape cartridge, as you would need to have a computer to restore the data to, a device capable of reading the cartridge, and software capable of reading the backup format. It's not quite as straightforward as pulling data from a stolen laptop or USB hard disk, but it's certainly well within the capabilities of someone who is actively pursuing said data. The only question is whether it was stolen by an opportunistic thief or if it was a targeted theft.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Just Stupid or Criminal
[ link to this | view in thread ]
Re: why
[ link to this | view in thread ]
The warning bell...
One hell of a state backup system, where even the intern have a turn at taking home everyones data.
[ link to this | view in thread ]
Obviously never worked for government...
Those on the bottom don't have any choice but to do what they are told, 'thinking', 'offering ideas', or 'attempting to insert a modicum common sense' are all likely to get you fired if you work for the government. However being an incompetent moron is likely to get you promoted, since they wouldn't want you actually doing anything important and messing it up, so they will just put you in charge so you can make other 'screw up' when they follow your advice, and then you can bring down the hammer and fire them, thereby proving that you actually did something useful (government managers will read this and think, yeah, so? without ever stopping to realize how screwed up things really are)
Likely scenario:
Intern - Hey we should have offsite storage of our backup material, in the event of a disaster or system crash. Here's a great provider I looked up, they handle secure transportation, guarantee the media is stored in a safe environment, and even provide on-call recovery services in the event that they are needed. Here's the complete proposal and supporting documentation.
Manager (in board meeting) - I've decided that we need to implement offsite storage of our backup tapes, and our Intern has graciously volunteered to 'handle' everything (meaning that the intern will get stuck sloggin the media around, not that the intern's idea/recommendation will get implemented). A month later when the inevitable happens and the tape is lost.... Fire the Intern, blame them for the entire idea, then sit back rejoice in how well you 'fixed' things (ignoring the fact that you caused the entire situation - acceptance of fault in government jobs is limited, nobody is willing to admit they did anything wrong), while continuing to rake in the big bucks for doing all the 'hard' work.
Can you tell I'm not very happy with the way things work at my government job?
They say that sufficiently advanced incompetence is indistinguishable from malice. Nowhere is this more clear that government IT. - Unknown
[ link to this | view in thread ]
And another one
[ link to this | view in thread ]