From: InfoSec News (alertsinfosecnews.org)
Date: Thu Jun 21 2007 - 02:10:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.ohio.com/mld/beaconjournal/news/state/17395223.htm

By STEPHEN MAJORS
Associated Press
June 20, 2007

COLUMBUS, Ohio - A missing computer backup tape containing personal
information on 64,000 state employees and family members also holds the
names and Social Security numbers of 225,000 taxpayers, Gov. Ted
Strickland said Wednesday.

The tape, stolen last week from a state intern's car, contained
information on taxpayers who have not cashed state income tax refund
checks issued in 2005, 2006 and through May 29, 2007, Strickland said in
what has become a nearly daily release of newfound information contained
on the tape since the first disclosure Friday. The list includes checks
that were cashed after May 29.

In addition, the tape includes the names and Social Security numbers of
602 lottery winners who have yet to cash their winning tickets and 2,488
Ohioans who have yet to cash checks for unclaimed funds payments,
Strickland said. It also holds the names and bank account numbers for
approximately 650 to 1,000 electronic funds transfers that weren't
completed because they were bounced back by banking institutions.

Among other information on the device is bank account information for
school districts and details on people enrolled in the state's pharmacy
benefits program.

Strickland said he can't be certain the tape doesn't contain other
sensitive information until an expert hired to review the data
determines he's finished.

The administration continues to maintain that it does not believe the
information has been accessed because it would require specific
hardware, software and expertise. Strickland said 20,000 state employees
had signed up for identity-theft protection as of Tuesday night, and
there had been no indications that someone had attempted to use their
personal information.

The state is paying more than $700,000 to provide all state employees
with identity-theft protection services and to hire an independent
computer expert to review what data the tape contained. Officials said
they would extend identity-theft protection services to the new
categories of people announced Wednesday.

The tape was stolen June 10 out of the unlocked car of a 22-year-old
intern who had been designated to take the backup device home as part of
a standard security procedure. When the governor announced the theft
Friday, he also issued an executive order ending the practice of
employees taking backup devices home for safekeeping and mandating a
review of how state data is handled, including establishing an
encryption protocol.

Data security experts said the unencrypted tape, described by Hilliard
police as roughly 4 inches square and an inch thick, could be breached
by someone with computer expertise, time and financial resources.

Ohio taxpayers can search an online database to determine whether their
names are included in the stolen files. If so, they will receive a pin
number they can use to sign up for identity-theft protection.

Officials do not believe they will need to seek additional funds to fund
the additional categories because generally about 20 percent of those
eligible sign up for such services. The funding released Monday by the
Controlling Board assumed all employees would use the protection.

The state entered into a "pay as you go" contract with Debix, the
service provider, and will use more funds if necessary, officials said.

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]