Thieves who broke into a car belonging to an intern for the state of Ohio on Sunday now have access to data on all the state’s 64,000 employees — at least theoretically.
The data, which was on a backup device, included the names and Social Security numbers for all employees of the state, Gov. Ted Strickland announced Friday. Fortunately, it was encrypted, Keith Dailey, press secretary for the governor’s office, told TechNewsWorld. Ohio Highway Patrol has asked that specific details about the computer device and its encryption be withheld so as not to interfere with the investigation, Dailey said. [*Editor’s Note]
State employees were notified Friday morning via e-mail, and a letter will also be sent to their homes. In addition, a Web site went live today for ongoing information about the situation.
“I have asked the Ohio Highway Patrol to lead the investigation to recover the device,” Gov. Strickland said. “Also, I have directed the Department of Administrative Services to secure the opportunity for state employees to access free identity theft prevention and protection services for one year.”
Electronic data management standards at the intern’s work site call for the offsite storage of one set of backup data, and the intern had been “inappropriately designated to store the data at his home,” Gov. Strickland’s office said.
Strickland has since forbidden this data management practice and ordered a review of the events that led to the theft of the data. Once the facts are known, he will take appropriate disciplinary action.
The governor has also issued an executive order for state IT managers to immediately review procedures for handling data backup, making changes if necessary, to ensure that information is secure.
Encrypt, Encrypt, Encrypt
Unfortunately, the theft and loss of sensitive data is all too common, and even the biggest corporations and organizations have experienced it.
“This happens almost daily, so it’s almost not really news anymore,” Johannes Ullrich, chief technology officer at the SANS (SysAdmin, Audit, Networking and Security) Institute, told TechNewsWorld. “You can’t prevent every loss or theft of data, so the lesson is that you need to encrypt everything,” he said.
“Most everyone agrees that the only true way to defend data in any medium is to encrypt it,” agreed Phillip Dunkelberger, president and CEO of data protection provider PGP. “I’m glad the state of Ohio was already following that best practice.” [*Editor’s Note]
All the Data
It’s not just data stored on the drives of corporate computers that must be protected, Dunkelberger told TechNewsWorld; data in e-mails and on mobile devices like laptops and thumb drives should be encrypted as well, he stressed.
The theft of the backup device also underscores a key fact about cybersecurity, Parry Aftab, security expert and lawyer, told TechNewsWorld.
“This underscores the kind of risks that all of us face with our digital data,” she said. “It doesn’t come from cyber warfare or high-tech hackers or white-collar intelligence thieves. Instead, it comes from someone not taking very good care of normal, everyday devices that store this information.”
It’s the Little Things
Indeed, most of the problems Aftab sees with data exposure and corruption come from things like this — laptop thefts or employees who forget to encrypt data, share flash drives or fail to log out of their computers at the end of the day, she said.
“By and large,” she concluded, “most serious data exposure comes from everyday sloppiness or lack of attention.”
*ECT News Network editor’s note: UPDATE: In response to a query from ECT News Network on June 21, 2007, Keith Dailey, press secretary for the governor’s office, retracted his earlier statement that the data was encrypted: “The data on the device was not encrypted, as you’ve read, and the governor has called for standardized encryption protocol to address this in an executive order across all state agencies,” he told TechNewsWorld. “The governor has emphasized that it is unlikely someone could access the information in the device because specialized knowledge and equipment are necessary to extract the data.”