Intern Loses 800,000 Social Security Numbers

destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."

It gets better...er, funnier at least

[gskouby]

The State of Ohio is offering one year of identity theft protection to those affected. To lookup your access code for this one free year of ID theft prevention please visit this page:

http://ohio.gov/idprotect/lookup/lookup.aspx/ [ohio.gov]

On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.

Re:Bring these back tomorrow?

[coren2000]

I assume they remove backups from the site nightly, in case of fire.

And I think the bigger problem

[DragonWriter]

Is your reading comprehension:

There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.

Re:Scapegoat? Maybe, but he's still a moron.

[dougmc]

IMO there's nothing wrong with sending tapes home with people.

Agreed -- it's the poor man version of offsite backups, though if they have sensitive information they should be encrypted at the very least. Still, while it probably makes sense for a five man office, it's probably not the best way of doing things for a big operation.

The biggest problem with moving tapes around is that you have to make sure they're not moved in a car with a great big stereo. Subwoofers can play havoc on magnetic media.

Actually, the strongest magnet you have in your house probably isn't strong enough to do anything to modern data tapes. It takes a strong honking magnet to affect modern data tape media in the slightest. You could wrap your DLT/LTO/whatever tape up with a big woofer for a month and it would still be readable -- wouldn't be affected at all, actually. There's a minimum magnetic strength required to change things on the tape, and if you can't reach that, it doesn't matter how long your magnet is nearby.

The heat is probably a bigger danger.

As for the big woofers, they might attract thieves and cause problems that way :)

Re:Scapegoat? Maybe, but he's still a moron.

[alflauren]

Absolutely right on the price. $125 an hour is about the rate that I would charge if I were a college graduate trying to start my own consulting firm. You're not going to get anyone decent for under $300-400 and hour these days, and you'll need to spend more than that to get someone good.

Re:Bring these back tomorrow?

[LurkerXXX]

It's called offsite storage. If you aren't doing it, look into it or you will regret not doing so if your building ever burns down, floods, etc.

They just did it in a horribly horribly bad way. There are lots of other state buildings around they could transfer things to regularly. Having anyone, let alone an intern, take them to their home instead is simply stupid. As is leaving company property unattended in your car. Having them do that with unencrypted data was just batshit insane.

Re:Scapegoat? Maybe, but he's still a moron.

[Nevyn]

IMO there's nothing wrong with sending tapes home with people.

Sure, I've worked at places that do that ... but sending them home with the intern? Whenever I've seen it done it's been with trusted full time employees, with a paper trail of exact what went to their home.

Re:Scapegoat? Maybe, but he's still a moron.

[mlts]

If there is a solid encryption system [1] in place, there isn't anything wrong with this at all, (although a service like Iron Mountain would be the best.)

Encrypted backups are not hard to do, although its not in that many backup programs on the Windows side (unless you go to Networker or Tivoli Storage Manager) support solid encryption. The main one that does support encryption is EMC/Insignia's Retrospect on the Windows side, and Arkeia on the UNIX side.

[1]: A solid encryption system is not just clicking a checkbox that says "backup will be encrypted", and typing in a password on two blank fields, but knowing who has access to what passwords, and preferably having it that the guy who has the encryption keys or passwords is not the same guy in physical custody of the tapes 24/7, assuming a large company.