Lost Ohio Data Contains Taxpayer Info

Ohio's data theft problem has grown beyond the scope of the information originally provided by state officials.

It was announced last week that a data device containing state workers' personal info had been given to an Ohio state intern who reported it missing after his vehicle was burglarized. At the time, officials reported that the data pertained to 64,000 state employees.

The extent of the data contained in the device now appears much greater. The device, said officials, contains information about state employees, vendors and about a quarter-million taxpayers.

Ohio Gov. Ted Strickland continues to assert it's unlikely that the thief, who reportedly also made off with a radar detector swiped from the intern's unlocked vehicle, has the knowledge and equipment necessary to access the information. Nevertheless, he is urging everybody to "take preventative precautions."

As of yesterday, Ohio said it had "no information to date that the data has been accessed."

Sensitive and Secret

First announced June 15, the theft of the device is a potential identity-theft nightmare, since the device contains a treasure trove of data -- including the names, Social Security numbers and check amounts of up to 225,000 taxpayers with uncashed state personal income tax refund checks.

That's not all. The backup device was also used to preserve the names and Social Security numbers of 602 lottery winners who have yet to cash their winnings checks and the names and Social Security numbers of 2,488 Ohioans with uncashed checks for unclaimed funds payments.

Also on the device, according to the governor's office: The names and bank account numbers for approximately 650-1,000 electronic funds transfer (EFT) transactions, information related to uncashed Temporary Assistance for Needy Families (TANF) payments and the names and federal tax identification numbers of vendors receiving payroll deduction payments.

The List Goes On ...

There's more, said Strickland. The device includes school district and local government bank account information. There are Medicaid provider names, tax identification numbers, address and bank account information, plus the names, Social Security numbers and State Teachers Retirement System (STRS) account numbers.

Employee numbers, addresses, phone numbers and EFT banking information relating to 28,362 state employees and vendors are also on the device.

Mailboxes, Web Sits, Phone Numbers

The state is offering a year of free identity theft prevention and protection through Debix, and a post office box has been set up (P.O. Box 361901 Columbus, Ohio 43236) for informants to anonymously send information relating to the theft.

Additionally, Ohio created a Web site to help potential victims -- www.ohio.gov/idprotect -- to help people find out if their name is in the files contained on the device. Those whose names come up will receive a personal identification number that will allow them to sign up for Debix identify theft protection services.

A telephone number (888-644-6812) was set up to distribute the latest information about the case.

The state is hiring Interhack, a Columbus-based data forensics and security firm, to assist with the investigation, Strickland said.

The Keys to Fort Knox

"The theft of the device happened when a state intern's car was broken into," acknowledged the state. "Electronic data management standards at the intern's worksite call for one set of backup data to be stored off-site and the intern had been inappropriately designated to store the data at his home."

Strickland ordered a review of the events that led to the incident and promised to "take appropriate disciplinary action when the facts are known." He also signed an executive order directing state information technology managers to "immediately review, and if necessary change, the procedures for handling back up information to ensure that information is secure at all times."

Putting it in Perspective

These cases have yet to result in documented identity theft, said privacy and information policy consultant Robert Gellman. "This is same as a million other stories just like it," he told TechNewsWorld. "Computers, disks and tapes are lost routinely. All these stories are essentially non-events that don't accomplish anything but scare people. There is very little evidence that lost or stolen laptops or tapes produce any consequences."

However, the fact that Ohio didn't bother to encrypt the information was irresponsible, said Gellman.

"Yes, that's a problem," he offered. "If you are going to store personal information on any kind of device that could be lost or stolen, it should be absolutely routine today that the data is encrypted. If that were done, there would be no story here."

However, just because we rarely hear of identity thefts directly related to incidents such as the one in Ohio, it doesn't mean they don't occur, said Bruce Schneier, CTO of BT Counterpane.

"The problem is when someone has a fraud committed against them, you don't know where it came from so it's impossible to link the damage," Schneier told TechNewsWorld. "So if, next week, there are four identity thefts, do we know they're not from this case?"

There's a simple explanation about why the data was not encrypted and was sent home with an intern, offered Schneier. "The people entrusted with this information don't actually care if it gets lost," he said. "It's not their loss. It's somebody else's. ... Fundamentally, it's just not that important to them."