Data Centers

State of Ohio passes the buck


The state of Ohio are trying to blame a 22 year-old intern for the loss of almost 800,000 social security numbers and other personal information.  A backup tape containing unencrypted data was stolen from his car last month.  The intern, Jared Ilovar would sometimes take home backup tapes to ensure that there was an off-site version of the data-his instructions were simply ‘bring these back tomorrow.'

The tapes were stolen from his car in what would seem like a random crime spree with other cars in the neighbourhood also being broken in to.  Of course this could have been a well-planned and targeted attack with other break-ins simply being a diversion, we shall probably never know.  Jared was promptly blamed for the leak and when he refused to resign he was fired.

Ohio's Inspector General reported that this off-site backup policy had apparently been in place for five years and for at least the last two this had been carried out by interns; his report blames a muddled chain of command and said that the data should have been properly secured and encrypted. Take a look at the full story here.

It's amazing that the State of Ohio, a $52 billion enterprise would have such poor backup plans.  Surely they could afford to secure their confidential data somewhere other than the car boot of a $10.50/hour intern?!?

47 comments
itswhatyouvalue
itswhatyouvalue

Since it was a federal ID that was not protected properly by the state. And why don't the feds have regulations for the states to adhear to. Then the states could sue the Feds for not having regulations in place. Also one more point; was any moneies allocated (either fed or state) for the security the citizens, or was it spent elsewhere? My personal feelings are that politicians should be held accountable (personally/ financially) for their actions or lack of. Don't shoot the messenger, fine the politician, (I bet any politician who ever did anything illegal would go find a private sector job within 6 months (or) fix the problem asap!) Kind like a cop in uniform showing up at a crack house, watch them suckers run ! LOL

jwlindsey
jwlindsey

Several years ago (ca 1978) a client I was consulting with, gathered his computer room employees together, showed them a safe in his office containing backup tapes, and told them that if there was ever a fire or other disaster that their first responsibility was to come to his office and carry the tapes out of the building. They immediately and unanimously responded that, contrary to his wishes, their first responsibility was to remove themselves from the building and that he should carry the tapes himself. He got the message and contracted the work to an off-site storage company.

urbanpagan
urbanpagan

And this surprises anyone? I've dealt with major multinationals who would keep the backup tapes in a "locked" supply cupboard next to the server room. The server room BTW, had fire suppression systems, the hallway where the cupboard was didn't.

SObaldrick
SObaldrick

Not only did their backup policy suck, no-one apparently told the intern that he was supposed to take the tape into his house (like if they were after the tape, it wouldn't have been his car that was broken into - duh!), but once they found out the tape was missing his company told him to lie to the police. This kid should sue, sue and sue again. Les.

jpb
jpb

I hope the poor intern sues them for wrongful dismissal, slander and defamation of character. The person to blame is the idiot who designed this ludicrous backup scheme.

melekali
melekali

How sad. Business (and govt) cannot get something for nothing. Permitting an intern to use this methodology to handle backup of sensitive data should be laid on the network administrator, CIO, etc.

3pdegeiso
3pdegeiso

There are a few issues I would like to point out about this story: 1. You are telling me that in the last 2-5 years that no other intern has left backup tapes in his car overnight which resulted in melted media? 2. So which is more likely? Theft of a spare set of tapes or a fire in the data center that destroys the main set of data? Hmmm... 3. Don't fire this intern, give him a raise. He has brought attention to a ridiculous policy that drastically needs improvement. Improvements in security almost always require an incident to occur before something is done to address it. 4. Fire the highest man/contractor/company up the totem pole as you can to set an example. Now there is a ton of wasted taxpayer dollars going to Credit Monitoring Services when they could have been using that money to improve security all along. One of the biggest problems I see with Americans is the lack of taking responsibility for their actions or inactions. The least amount of work for the most amount of credit work mentality is a sickness in our country which I call chronic laziness syndrome and is the main reason the rest of the world is kicking our a**es. Shame on you Ohio, you should be on Keith Olbermann's Worst Person in the World... Ok my rant is over, thank you...

blackfalconsoftware
blackfalconsoftware

"Random Crime Sprees" do not target ambiguous things like a backup tape. If you have been watching the news in the past 18 months, the theft of personal information files in such situations has become rather commonplace. Some analysts postulate that this is being done by government agents to add data to their illegal database systems and the commonality of the crime would tend to support this. Given the predelictions of the Bush Administration, this could hardly be considered "conspiracy theory".

pwebb
pwebb

I worked for a public sector, government agency in Columbus for three years, starting in 2002. Here's my two cents on how this could feasibly happen. The story mentions that the policy of "taking home the tape" had been in place for 5 years. That means the policy was implemented in 2001/2002, depending on the date of the event and the accuracy of the information. As it happens, I started working for government in Columbus in 2002. At that point in the State's history, budgets for things like off-site backup storage and IT security audits were being slashed -- we simply did not have the money any more to do everything we were able to do before. That part of the equation is no one's fault -- it's just the way public sector runs. You are told (typically in September/October/November) how much money your department will be given for the following year. This money has to: - pay the salaries of your employees, - pay for replenishable items (like toner cartridges, backup tapes, blank CDs, etc -- stuff that has to be refreshed in stock) - pay for servers that need to be replaced - pay for workstations that need to be replaced - pay for new software - pay for parts to fix things that break ... you get the idea. Unlike private sector, there is no "wiggle room". You're given a set amount, and you have to work with it. Additionally, they like to base next year's budget forecast off of the current year's budget. So let's say in 2000 you used $600,000 for your department, but in 2001 you only used $400,000. Guess what you'll get in 2002 -- $400,000. It matters not that the average is $500,000, or that you may need $700,000. You don't use it, you lose it. My point is, with budgets being cut and all of the above, some IT director in 2002 found himself with too little budget for all the things he needed, and he really didn't want to have to let valuable, critical employees go... so he cut a few corners. Perhaps he was paying $50,000 a year for a security audit by and outside company, so he cut that. He was probably paying Fireproof $30,000 for off-site tape storage. Looks perfectly reasonable to him to cut that and take the tape home himself every night. No big deal, right? My guess is that the above-mentioned IT director became disgruntled with having to work in such a small work environment with no monetary resources, and he found himself other employment. Goverment agencies are very poorly equipped for handling this kind of thing, so his job probably sat vacant for 6 months. In that 6 months, someone had to assume his duties, so his department "shared the load" and his duties were handed out to others. The offsite backup thing fell in an intern's lap. You now have the makings of a disaster laid out in front of you. The IT director I paint a picture of above was probably a reasonable, responsible state employee just trying to do his job. He probably lived in a suburb like Reynoldsburg, Dublin, or Pickerington, and he probably took the tape out of his car every night and took it into his house. The intern that fell victim to all of this was probably a reasonable, responsible guy as well, but he was an intern. He probably didn't live in the best neighborhood (I remember when *I* was an intern, and we lived on Macaroni and Cheese for a long time), and he got sloppy and left the tape in his car. His neighbors needed money for alcohol or drugs and went on a shopping spree. The bottom line: That tape most likely ended up in a dumpster somewhere. They couldn't pawn it for anything, so they pitched it. It's unfortunate that the intern lost his job, and that someone higher up didn't do the honorable thing and take responsibility for a policy that was well conceived, but over time was obviously flawed. At the same time, calling for the firing of an entire department isn't justified either. Most government employees are good at their jobs and are just trying to make a living personally and professionally. It isn't their fault that they are asked by the public to build a "Mercedes" system with a toothpick and some bubble gum. Be thankful they actually do it 99% of the time.

pwebb
pwebb

I worked for a public sector, government agency in Columbus for three years, starting in 2002. Here's my two cents on how this could feasibly happen. The story mentions that the policy of "taking home the tape" had been in place for 5 years. That means the policy was implemented in 2001/2002, depending on the date of the event and the accuracy of the information. As it happens, I started working for government in Columbus in 2002. At that point in the State's history, budgets for things like off-site backup storage and IT security audits were being slashed -- we simply did not have the money any more to do everything we were able to do before. That part of the equation is no one's fault -- it's just the way public sector runs. You are told (typically in September/October/November) how much money your department will be given for the following year. This money has to: - pay the salaries of your employees, - pay for replenishable items (like toner cartridges, backup tapes, blank CDs, etc -- stuff that has to be refreshed in stock) - pay for servers that need to be replaced - pay for workstations that need to be replaced - pay for new software - pay for parts to fix things that break ... you get the idea. Unlike private sector, there is no "wiggle room". You're given a set amount, and you have to work with it. Additionally, they like to base next year's budget forecast off of the current year's budget. So let's say in 2000 you used $600,000 for your department, but in 2001 you only used $400,000. Guess what you'll get in 2002 -- $400,000. It matters not that the average is $500,000, or that you may need $700,000. You don't use it, you lose it. My point is, with budgets being cut and all of the above, some IT director in 2002 found himself with too little budget for all the things he needed, and he really didn't want to have to let valuable, critical employees go... so he cut a few corners. Perhaps he was paying $50,000 a year for a security audit by and outside company, so he cut that. He was probably paying Fireproof $30,000 for off-site tape storage. Looks perfectly reasonable to him to cut that and take the tape home himself every night. No big deal, right? My guess is that the above-mentioned IT director became disgruntled with having to work in such a small work environment with no monetary resources, and he found himself other employment. Goverment agencies are very poorly equipped for handling this kind of thing, so his job probably sat vacant for 6 months. In that 6 months, someone had to assume his duties, so his department "shared the load" and his duties were handed out to others. The offsite backup thing fell in an intern's lap. You now have the makings of a disaster laid out in front of you. The IT director I paint a picture of above was probably a reasonable, responsible state employee just trying to do his job. He probably lived in a suburb like Reynoldsburg, Dublin, or Pickerington, and he probably took the tape out of his car every night and took it into his house. The intern that fell victim to all of this was probably a reasonable, responsible guy as well, but he was an intern. He probably didn't live in the best neighborhood (I remember when *I* was an intern, and we lived on Macaroni and Cheese for a long time), and he got sloppy and left the tape in his car. His neighbors needed money for alcohol or drugs and went on a shopping spree. The bottom line: That tape most likely ended up in a dumpster somewhere. They couldn't pawn it for anything, so they pitched it. It's unfortunate that the intern lost his job, and that someone higher up didn't do the honorable thing and take responsibility for a policy that was well conceived, but over time was obviously flawed. At the same time, calling for the firing of an entire department isn't justified either. Most government employees are good at their jobs and are just trying to make a living personally and professionally. It isn't their fault that they are asked by the public to build a "Mercedes" system with a toothpick and some bubble gum. Be thankful they actually do it 99% of the time.

catfish182
catfish182

Interns get paid how much? I need that gig. What this is is stuff from the Taft administration spilling over. It sucks that my state govt (yes OH-IO) will throw a intern "under the bus" but is it shocking to me no. Do you really think that anyone above him will say "O my bad sorry i thought it was cool to let interns take them off site" Considering the options here in C-bus for offsite storage (Fireproof comes to mind, and no i dont work for them) its being a cheapskate and lazyness. Some It manager would not get paid as much as he/she does if they had offsite storage and thats why this happened.

TonytheTiger
TonytheTiger

For one, all of the sensitive data was SUPPOSED to be removed from that particular server. I doubt seriously if the intern had personal knowledge of what was on the tapes. He was fired because he was the last in the chain and could not pass the blame to someone under him. $hit flows downhill in government.

trpassmore
trpassmore

The State of Ohio must be comprised of a bunch of idiots! A multi billion dollar state allows an intern to keep the backups in his trunk! Oh wow - his boss should be fired - actually not just his boss - the whole stinking department should be fired!

Dr Dij
Dr Dij

Backups should: 1) be encrypted 2) probably be handled by professional service couriers 3) not be given to someone who would leave them in his car (see #2) His boss should be held accountable

Editor's Picks