Disaster Recovery

State of Ohio passes the buck


The state of Ohio are trying to blame a 22 year-old intern for the loss of almost 800,000 social security numbers and other personal information.  A backup tape containing unencrypted data was stolen from his car last month.  The intern, Jared Ilovar would sometimes take home backup tapes to ensure that there was an off-site version of the data-his instructions were simply ‘bring these back tomorrow.'

The tapes were stolen from his car in what would seem like a random crime spree with other cars in the neighbourhood also being broken in to.  Of course this could have been a well-planned and targeted attack with other break-ins simply being a diversion, we shall probably never know.  Jared was promptly blamed for the leak and when he refused to resign he was fired.

Ohio's Inspector General reported that this off-site backup policy had apparently been in place for five years and for at least the last two this had been carried out by interns; his report blames a muddled chain of command and said that the data should have been properly secured and encrypted. Take a look at the full story here.

It's amazing that the State of Ohio, a $52 billion enterprise would have such poor backup plans.  Surely they could afford to secure their confidential data somewhere other than the car boot of a $10.50/hour intern?!?

47 comments
itswhatyouvalue
itswhatyouvalue

Since it was a federal ID that was not protected properly by the state. And why don't the feds have regulations for the states to adhear to. Then the states could sue the Feds for not having regulations in place. Also one more point; was any moneies allocated (either fed or state) for the security the citizens, or was it spent elsewhere? My personal feelings are that politicians should be held accountable (personally/ financially) for their actions or lack of. Don't shoot the messenger, fine the politician, (I bet any politician who ever did anything illegal would go find a private sector job within 6 months (or) fix the problem asap!) Kind like a cop in uniform showing up at a crack house, watch them suckers run ! LOL

jwlindsey
jwlindsey

Several years ago (ca 1978) a client I was consulting with, gathered his computer room employees together, showed them a safe in his office containing backup tapes, and told them that if there was ever a fire or other disaster that their first responsibility was to come to his office and carry the tapes out of the building. They immediately and unanimously responded that, contrary to his wishes, their first responsibility was to remove themselves from the building and that he should carry the tapes himself. He got the message and contracted the work to an off-site storage company.

urbanpagan
urbanpagan

And this surprises anyone? I've dealt with major multinationals who would keep the backup tapes in a "locked" supply cupboard next to the server room. The server room BTW, had fire suppression systems, the hallway where the cupboard was didn't.

RipVan
RipVan

There is a very large federal government agency where people work in the print room. I don't know if anyone else has something similar, it is a room where large volumes of prints are generated (letters, research, etc...) When the bins get full, an employee moves the stack of prints, puts a tie around it, and stacks up the portions of each 'run'. After doing this for 6 months, they qualify for practically any IT job in the whole agency. And the IT jobs are filled from this pool of employees. And the managers see nothing wrong with this setup. Maybe because they are too busy making 'big' IT decisions...

SObaldrick
SObaldrick

Not only did their backup policy suck, no-one apparently told the intern that he was supposed to take the tape into his house (like if they were after the tape, it wouldn't have been his car that was broken into - duh!), but once they found out the tape was missing his company told him to lie to the police. This kid should sue, sue and sue again. Les.

jpb
jpb

I hope the poor intern sues them for wrongful dismissal, slander and defamation of character. The person to blame is the idiot who designed this ludicrous backup scheme.

melekali
melekali

How sad. Business (and govt) cannot get something for nothing. Permitting an intern to use this methodology to handle backup of sensitive data should be laid on the network administrator, CIO, etc.

3pdegeiso
3pdegeiso

There are a few issues I would like to point out about this story: 1. You are telling me that in the last 2-5 years that no other intern has left backup tapes in his car overnight which resulted in melted media? 2. So which is more likely? Theft of a spare set of tapes or a fire in the data center that destroys the main set of data? Hmmm... 3. Don't fire this intern, give him a raise. He has brought attention to a ridiculous policy that drastically needs improvement. Improvements in security almost always require an incident to occur before something is done to address it. 4. Fire the highest man/contractor/company up the totem pole as you can to set an example. Now there is a ton of wasted taxpayer dollars going to Credit Monitoring Services when they could have been using that money to improve security all along. One of the biggest problems I see with Americans is the lack of taking responsibility for their actions or inactions. The least amount of work for the most amount of credit work mentality is a sickness in our country which I call chronic laziness syndrome and is the main reason the rest of the world is kicking our a**es. Shame on you Ohio, you should be on Keith Olbermann's Worst Person in the World... Ok my rant is over, thank you...

blackfalconsoftware
blackfalconsoftware

"Random Crime Sprees" do not target ambiguous things like a backup tape. If you have been watching the news in the past 18 months, the theft of personal information files in such situations has become rather commonplace. Some analysts postulate that this is being done by government agents to add data to their illegal database systems and the commonality of the crime would tend to support this. Given the predelictions of the Bush Administration, this could hardly be considered "conspiracy theory".

Big Ole Jack
Big Ole Jack

People will think you are crazy and dilusional with your half assed conspiracy theories. Ooops...too late..you've already opened your mouth.

shraven
shraven

Umm... what makes you so sure the target was the tape? How do you know the tape wasn't taken by people who didn't know it was included in the haul or didn't even know what it was? How do you know theft of personal data is on the rise rather than we're just hearing about the incidents more often because it's a good story these days? Some analysts postulate that every conspiracy theorist is compensating for a small wee-wee. And yes, your theory is most definitely in the conspiracy theory category. How do I know? Because what's really happening is that Hillary Clinton is responsible for every incident that's occured in the past 6 years - including 9-11. It's part of a massive secret program by social communist liberal democrats to discredit the Bush administration to such an extent that the public will vote "Anybody but a republican" in 2008 and the subversive elements which paid for the first Clinton administration can get their stooges back in the Whitehouse. You can see this is an obvious truth because people like you consistently blame Bush for everything from the collapse of the WTC, to Katrina, to the inability to get it up at night... with a straight face. We need to go back to the good old days when the Oval Office was for BJs and nobody had time to be concerned about things like security. Which brings us full circle back to interns. Ah interns... those nubile young gullible interns!

nathan.warchak
nathan.warchak

Do you honestly think they don't already have this information and much more? You can't honestly be that naive can you? The government has any information they want already, and if they don't have it they aren't going around stealing it out of 22 yr old intern's cars to get it. As for your Bush comment its obvious your clueless so I won't address that anymore...

pwebb
pwebb

I worked for a public sector, government agency in Columbus for three years, starting in 2002. Here's my two cents on how this could feasibly happen. The story mentions that the policy of "taking home the tape" had been in place for 5 years. That means the policy was implemented in 2001/2002, depending on the date of the event and the accuracy of the information. As it happens, I started working for government in Columbus in 2002. At that point in the State's history, budgets for things like off-site backup storage and IT security audits were being slashed -- we simply did not have the money any more to do everything we were able to do before. That part of the equation is no one's fault -- it's just the way public sector runs. You are told (typically in September/October/November) how much money your department will be given for the following year. This money has to: - pay the salaries of your employees, - pay for replenishable items (like toner cartridges, backup tapes, blank CDs, etc -- stuff that has to be refreshed in stock) - pay for servers that need to be replaced - pay for workstations that need to be replaced - pay for new software - pay for parts to fix things that break ... you get the idea. Unlike private sector, there is no "wiggle room". You're given a set amount, and you have to work with it. Additionally, they like to base next year's budget forecast off of the current year's budget. So let's say in 2000 you used $600,000 for your department, but in 2001 you only used $400,000. Guess what you'll get in 2002 -- $400,000. It matters not that the average is $500,000, or that you may need $700,000. You don't use it, you lose it. My point is, with budgets being cut and all of the above, some IT director in 2002 found himself with too little budget for all the things he needed, and he really didn't want to have to let valuable, critical employees go... so he cut a few corners. Perhaps he was paying $50,000 a year for a security audit by and outside company, so he cut that. He was probably paying Fireproof $30,000 for off-site tape storage. Looks perfectly reasonable to him to cut that and take the tape home himself every night. No big deal, right? My guess is that the above-mentioned IT director became disgruntled with having to work in such a small work environment with no monetary resources, and he found himself other employment. Goverment agencies are very poorly equipped for handling this kind of thing, so his job probably sat vacant for 6 months. In that 6 months, someone had to assume his duties, so his department "shared the load" and his duties were handed out to others. The offsite backup thing fell in an intern's lap. You now have the makings of a disaster laid out in front of you. The IT director I paint a picture of above was probably a reasonable, responsible state employee just trying to do his job. He probably lived in a suburb like Reynoldsburg, Dublin, or Pickerington, and he probably took the tape out of his car every night and took it into his house. The intern that fell victim to all of this was probably a reasonable, responsible guy as well, but he was an intern. He probably didn't live in the best neighborhood (I remember when *I* was an intern, and we lived on Macaroni and Cheese for a long time), and he got sloppy and left the tape in his car. His neighbors needed money for alcohol or drugs and went on a shopping spree. The bottom line: That tape most likely ended up in a dumpster somewhere. They couldn't pawn it for anything, so they pitched it. It's unfortunate that the intern lost his job, and that someone higher up didn't do the honorable thing and take responsibility for a policy that was well conceived, but over time was obviously flawed. At the same time, calling for the firing of an entire department isn't justified either. Most government employees are good at their jobs and are just trying to make a living personally and professionally. It isn't their fault that they are asked by the public to build a "Mercedes" system with a toothpick and some bubble gum. Be thankful they actually do it 99% of the time.

InfoSecAuditor
InfoSecAuditor

I have nearly 10 years of public sector IT experience, including IT security administration, and another 2 years of international IT security audit experience with a Big 4 firm. Information Security is treated as an after-thought in many government agencies throughout the US. The only time it is taken seriously (read: action is taken) is when an agency experiences a security breach or some other issue related to InfoSec. Case in point, now that Ohio has experienced the above referenced issue, the" "State Chief Information Officer (CIO) Steve Edmonson today (7/27/2007) announced the release of statewide IT Standard ITS-SEC-01 which defines an encryption protocol to protect data across state agencies." Talk about closing the barn door after the horses ran out. While drawdowns in IT budgets over the last few years have been challenging for government (not to mention private) entities, I can tell you from my own experience that this has little to do with the lack of information security policy at these organizations. The problem is systemic. Most government IT organizations I've dealt with have their IT security functions handled by operational or administrative staff. These staff members typically have direct reporting lines to the CIO. This can be a conflict of interest, especially if the CIO is more focused on availability then confidentiality or integrity (yes, I've used a CIA triangle reference...so sue me). IT security responsibilities should be driven from outside of the IT department, usually by a CISO or Security Officer that is not a direct report to the CIO. Unfortunately, most local and state governments are reluctant to fund this. In this particular case, Ohio had poor controls in place surrounding their IT operations. This issue would typically be picked up in publicly traded companies because they are required to go through comprehensive audits, including IT audits, on a yearly basis (reference Sarbanes Oxley requirements). To my knowledge, there is no corresponding requirement for local and state government entities. For the State of Ohio to single out an intern as their scapegoat for this breach of security is unconscionable. The fault lies with management, and they should be held accountable. This includes the CIO, since this happened on his watch. Blaming an intern for a systemic issue is like blaming a private for a botched war strategy (ok, loose analogy, but you get my point). Complain about the lack of funding all you want, but this is critical data we're talking about. I wonder how much it will cost the State to cover all of the ad hoc credit reports that are now going to be requested, not to mention potential lawsuits this will generate. I'm no lawyer, but I can imagine the intern in question has a heck of a case against the state...and I'm sure there's no shortage of lawyers willing to take a case this high profile. In closing, I spent much of my time in government IT banging my head against the wall (figuratively speaking, of course) trying to get them to take InfoSec seriously. Eventually I had to leave and join an organization outside of government that did. Hopefully, with high profile issues like this surfacing on a more frequent basis, there will be a trend for local and state government to start improving their security policies and practices. Time will tell.

pwebb
pwebb

I worked for a public sector, government agency in Columbus for three years, starting in 2002. Here's my two cents on how this could feasibly happen. The story mentions that the policy of "taking home the tape" had been in place for 5 years. That means the policy was implemented in 2001/2002, depending on the date of the event and the accuracy of the information. As it happens, I started working for government in Columbus in 2002. At that point in the State's history, budgets for things like off-site backup storage and IT security audits were being slashed -- we simply did not have the money any more to do everything we were able to do before. That part of the equation is no one's fault -- it's just the way public sector runs. You are told (typically in September/October/November) how much money your department will be given for the following year. This money has to: - pay the salaries of your employees, - pay for replenishable items (like toner cartridges, backup tapes, blank CDs, etc -- stuff that has to be refreshed in stock) - pay for servers that need to be replaced - pay for workstations that need to be replaced - pay for new software - pay for parts to fix things that break ... you get the idea. Unlike private sector, there is no "wiggle room". You're given a set amount, and you have to work with it. Additionally, they like to base next year's budget forecast off of the current year's budget. So let's say in 2000 you used $600,000 for your department, but in 2001 you only used $400,000. Guess what you'll get in 2002 -- $400,000. It matters not that the average is $500,000, or that you may need $700,000. You don't use it, you lose it. My point is, with budgets being cut and all of the above, some IT director in 2002 found himself with too little budget for all the things he needed, and he really didn't want to have to let valuable, critical employees go... so he cut a few corners. Perhaps he was paying $50,000 a year for a security audit by and outside company, so he cut that. He was probably paying Fireproof $30,000 for off-site tape storage. Looks perfectly reasonable to him to cut that and take the tape home himself every night. No big deal, right? My guess is that the above-mentioned IT director became disgruntled with having to work in such a small work environment with no monetary resources, and he found himself other employment. Goverment agencies are very poorly equipped for handling this kind of thing, so his job probably sat vacant for 6 months. In that 6 months, someone had to assume his duties, so his department "shared the load" and his duties were handed out to others. The offsite backup thing fell in an intern's lap. You now have the makings of a disaster laid out in front of you. The IT director I paint a picture of above was probably a reasonable, responsible state employee just trying to do his job. He probably lived in a suburb like Reynoldsburg, Dublin, or Pickerington, and he probably took the tape out of his car every night and took it into his house. The intern that fell victim to all of this was probably a reasonable, responsible guy as well, but he was an intern. He probably didn't live in the best neighborhood (I remember when *I* was an intern, and we lived on Macaroni and Cheese for a long time), and he got sloppy and left the tape in his car. His neighbors needed money for alcohol or drugs and went on a shopping spree. The bottom line: That tape most likely ended up in a dumpster somewhere. They couldn't pawn it for anything, so they pitched it. It's unfortunate that the intern lost his job, and that someone higher up didn't do the honorable thing and take responsibility for a policy that was well conceived, but over time was obviously flawed. At the same time, calling for the firing of an entire department isn't justified either. Most government employees are good at their jobs and are just trying to make a living personally and professionally. It isn't their fault that they are asked by the public to build a "Mercedes" system with a toothpick and some bubble gum. Be thankful they actually do it 99% of the time.

fbrentwood
fbrentwood

I also work for a state government and we constantly have budget issues. Backups are an after thought and when present with the costs is one of the first things to be slashed. We have a fairly good back up system for most of our network now. I still back up many of my systems on discs just to make sure things aren't total loss. The DBA have a private company coming in and out daily with tapes. While having someone take the back ups home is not the best the intern was not the brightest by leaving it in his car. When I was a newbie in the IT field I had to drop tapes off at the data center. I didn't particularly like doing this job but it would have to be done. On occasion the center would be closed so I would have to take them home. and as in home I mean inside the house, not in the car where it is easier to steal. In the State of Ohio sitution there were mistakes from the poor intern to the governmental policy.

catfish182
catfish182

Interns get paid how much? I need that gig. What this is is stuff from the Taft administration spilling over. It sucks that my state govt (yes OH-IO) will throw a intern "under the bus" but is it shocking to me no. Do you really think that anyone above him will say "O my bad sorry i thought it was cool to let interns take them off site" Considering the options here in C-bus for offsite storage (Fireproof comes to mind, and no i dont work for them) its being a cheapskate and lazyness. Some It manager would not get paid as much as he/she does if they had offsite storage and thats why this happened.

TonytheTiger
TonytheTiger

For one, all of the sensitive data was SUPPOSED to be removed from that particular server. I doubt seriously if the intern had personal knowledge of what was on the tapes. He was fired because he was the last in the chain and could not pass the blame to someone under him. $hit flows downhill in government.

trpassmore
trpassmore

The State of Ohio must be comprised of a bunch of idiots! A multi billion dollar state allows an intern to keep the backups in his trunk! Oh wow - his boss should be fired - actually not just his boss - the whole stinking department should be fired!

cklammer
cklammer

Government at it's worst: (1) An intern has been placed in a position of (problably unsupervised - I surmise) responsibility. That should not happen in any organization and is a stark management failure. (2) The backup policy is obviously inadequate (unsecure, unspecified locations; unregulated access etc) security-wise. The responsibility for adequate policies lies with management. (3) The way the "scapegoating" has been done indicates also various management inadequacies and a displays a callous disregard for the best interest of the state of Ohio: For all the above reasons, the head of IT for the State of Ohio and several of his/her subordinates must be fired as they have shown themselves as untrustworthy.

Big Ole Jack
Big Ole Jack

and their stupid and assinine policies. If some private contractor doesn't come in and show these numbnuts how to do things properly, they end up doing things like a bunch of toddlers with a set of dangerous power tools, only to get injured by their own stupdity later. In this case, they are blaming and killing the messenger when it's clear the moron to be blamed and fired was the blockehead in charge who instituted this stupid policy of having interns take tapes home. Leave it to the public sector to make a great example of how NOT to do things in the private sector. It's stories like this that make the private sector laugh and gives it more business by selling its professional services to the dumbasses in gov't.

nathan.warchak
nathan.warchak

Have you ever worked for any government agency? While I do agree a lot of things in the government are screwy, you have to understand that these things happen in the private sector a lot too. But they aren't talked about as much because its not the government. I work for the government and I can tell you that we have about 1023981209834129038 more rules and regulations for computer security then ANY contractor we have ever had come in and do work. As a matter of fact its so strict it sometimes hinders us to get the job done in a timely fashion. Obviously the government has lots of flaws. I just wanted to point out that you can't blanket the whole government because I know first hand the amount of time I spend during my day in the name of security.

Big Ole Jack
Big Ole Jack

You wanna talk about politics, incompetence, and illogical bullsh-T? Work for the NY Metropolitan Transportation Authority and you'll know what I'm talking about. That's why I no longer work for them.

TonytheTiger
TonytheTiger

If the thief didn't know what he had (an even bet), he does now! I'm wondering if it wouldn't have been better to get the names off of the server, and notify those people privately. I hope that data isn't recovered and used. If it is, the taxpayers of Ohio will be paying for it for a long time. I mean, wouldn't the state be liable for all losses?

MAR1701
MAR1701

While state management and officials cannot be held blameless, a lot, probably even most of the fault must be laid at the feet of a private contractor group who is manageing this major project. And some 'blockheads' are being fired, but the contractor should be held liable for some of the expense as it was their procedures to handle the backups in this manner - not just state people.

TonytheTiger
TonytheTiger

It's just when it happens in public agency, it gets more publicity.

TechinMN
TechinMN

You're telling me they hired a contractor and let them do their job with zero oversight written into the contract? I doubt it. It's the State's responsibility to do this job, and if they contract it out, then it is their responsibility to make sure the job is done properly by the contractor. Period. Responsibilty and accountability starts at the top, and if the upper level is half-assed about making sure things are done properly, is there any wonder the contractor adopted the same attitude? One thing I don't hear mentioned is what the contractor's contractual responsibilites were. I see the kid getting blamed for his incredibly poor training, and a LOT of CYA, but there is nothing definite as far as what the State's or the contractor's responsibilities were. (Though it _does_ sound like a bunch of over-paid lazy-ass beureaucrats--both private and public--got caught shrugging off their duties in a big way.) Sounds like a couple of nice lawsuits are going to come out of this, starting with how this data was not encrypted, nor stored securely (I mean, come on: store it in a locked closet in one of the State's multiple buildings, if nothing else!), and continuing with the poor training, harassment, and blatant negligence in the handling and protecting of private information. This might be fun to follow.

Big Ole Jack
Big Ole Jack

And the private contractor did bungle this one and the end results showed it, but statistically, the gov't sector is more to blame for this stupidity than many private contractors.

Locrian_Lyric
Locrian_Lyric

Since you're from the same region, you'll know I'm not making this one up. When I worked for gvt back in the 90's, there was a completely incompetant director (no suprise there) who couldn't do anything right. I asked how he ever got his job, and what he did before this one. The answers: 1)He donated 10,000 to the political party in power. 2)He was a janitor

shraven
shraven

smells fishy. A Janitor made enough to be able to donate $10,000 to a political party? Can I have that janitor job now that it's vacant? Being from Michigan, I know that people from OHIO could be making ANYTHING up. They have peninsula envy.

Big Ole Jack
Big Ole Jack

and this also goes for private sector as well. Many corporate assclowns who are now CEOs' and CIOs' got their positions because they knew somebody or somebody knew them, yet barely have the qualifications for the job.

Dr Dij
Dr Dij

Backups should: 1) be encrypted 2) probably be handled by professional service couriers 3) not be given to someone who would leave them in his car (see #2) His boss should be held accountable

keithc
keithc

The responsibility should be passed up the chain until you reach the person who can authorize the cost of the problem as an expenditure. That person should be the one who carries the can. If necessary, involve the people below that level who made bad decisions, but don't absolve the higher echelons of their responsibility. Of course, this will not happen...

poopka4
poopka4

Edited Message was edited by: beth.blakely@...

crollo3
crollo3

Just another story of highly paid idiots blaming someone else for their stupidity. Hang on to you gluteus maximus it's not going to get any better.

mnbourke
mnbourke

This poor intern is going to carry the can for corporate failure which is going to impact on their career forever. State of Ohio shame on you.

JohnMcGrew
JohnMcGrew

...strategy. The only problem here was that it was very poorly concieved and implimented. Backup is one of those things that is so not sexy, everyone hates dealing with, it's expensive, and yet the very existence of the entire enterprise may end up depending on it some day. Few people in IT advance for harping about it. It's just like insurance; you hate dumping money down what seems like an endless drain for something you hope you will never need. And yet, the risks of not doing so are horrendous. I think one of the hardest things in IT is convincing your clients or bosses that they need to spend at least as much on backup strategy as they do on storage. Few seem able to accept that.

DanFan
DanFan

I received a letter from the State of Ohio advising that my information was/could be on the mystery tape. They are offering me one year of free credit protection service for my trouble. It doesn't make me feel better to hand my personal information over to yet another government-sponsored program. I heard it was costing the State several million dollars to offer this service. At least I'm getting some of my tax money back, ;o). Major pain in the you-know-what.

InfoSecAuditor
InfoSecAuditor

Sorry for your troubles, DanFan. One thing you should probably be aware of, though. Your comment of "At least I'm getting some of my tax money back" is inaccurate. The government will have to fund the credit reporting program in some way. This will most likely require an increase in your taxes (or at least a re-shuffling of current funds, thereby reducing services in some area). Sad to say, but you'll be paying for this program either way.

Justin Fielding
Justin Fielding

Certainly would have been cheaper to do it properly the first time.

TonytheTiger
TonytheTiger

if someone is smart enough to get the data off of those tapes, they're smart enough to wait until the "year of free credit protection" expires before they try to use it. was/could be? seems to me they know what server was backed up onto those tapes... just look at the server.

DanFan
DanFan

Thanks, TiggerTwo. I am aware of the free credit reports, and already use them. It's an excellent tool to monitor your credit for illegal activity. I still haven't decided whether I want to use the free protection that the State offered.

Tig2
Tig2

You are entitled to a statement from each of three credit reporting houses on demand each year. I have a schedule for all three of them. It works. Go to http://www.fightidentitytheft.com/sucker.html along with many others to learn how to protect yourself during this time of vulnerability. Google "credit identity scam" for hundreds of no fee resources. And the best to you!

Big Ole Jack
Big Ole Jack

In order to claim your prize, you need to provide the fraudsters with a bank routing and account number. Sure, here it is....NOT!

DanFan
DanFan

I don't have the letter with me, but it was something like that. They didn't say if it was or wasn't specifically. I saw a forum where someone tried the free protection service, but the 'free for a year' code the State gave them wouldn't work. The site wanted a credit card. Joy.

Tony Hopkinson
Tony Hopkinson

junior tape swapper to take it home with him ??? I may be being picky, but this doesn't sound tactically astute. Whatever numbwit is in charge will need extremely good friends in very high places to fob this one off on this poor git. There are probably 4000 lawyers having a fight outside thie guys house to win the case.

Editor's Picks