Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« This Week in Data Breaches: More Losses, More Regulation? | Main | Italian Job Attack Uses "Commercial" Malware Delivery Platform »

Ohio Data Breach Shows Backups Vulnerabilities

News came out Friday that a backup tape stolen from the car of a$10.50/hr intern contained personal information on all state employees.

According to the Sprinfield News Sun's article Strickland: Data breach has expanded

Other information on the tape includes Social Security numbers, addresses and phone numbers of 53,797 participants in the state's pharmacy benefits managment program, Social Security numbers of 75,532 of their dependents, as well as the names and Social Security numbers of 64,467 state employees.

The Columbia Tribune and AP reported Sunday:

Also on Sunday, Strickland said the device contained the names and case numbers of the state's 84,000 welfare recipients, who face "a remote threat of identity theft," and the names and federal tax identification number of vendors that receive payroll deduction payments from the state - about 1,200 records. Sixteen of those records contain banking information, he said.


The Springfield News Sun also noted:

Strickland issued an executive order to change the policy that made the intern one of the employees permitted to take the backup tape home for security purposes.

At this point we can say (and it has been said) that the Govenor is closing barn door after.... OK, that's true. Unlike another well publicized data breach, at least Ohio officials aren't running away from this one.

The Toledo Blade reported (before the expanded breadth of the theft was reported) that:

The state is offering free identity-theft monitoring to all 64,467 employees of state and legislative offices, boards, and commissions for one year at a total cost to taxpayers estimated at $660,000.

So at a minimum, the cost of the theft of a $15 data device is $660,000. This example will drive home the point that it's not the cost of the device but the value of the information that needs to be considered when formulating security policies. This is a good time to for all of us to take another look at our risk analysis assumptions.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on June 18, 2007 7:31 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/333

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net