Ohio Plans To Encrypt After Data Breach

Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."

Re:$3 million?

[Ohio Calvinist]

Probably the cost of the investigation in lost hours, the price of notifying all those whom where among the 130,000 and all that comes with it (lawsuits, credit checking, the cost of the corrective actions...) I went to a university of 11,000 at first that paid for 90 days of credit monitoring for all effected students after someone hacked into the student information system that stored SSNs. I'm sure the state had to deal with some more heat than a small university.

Re:$3 million?

[asills]

Last I checked $3,000,000 divided by 60,000 equals $50, not $500.

Math issues aside, if you RTFA (and follow TF link to the original article) you'll see the breakdown:

"The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape."

I highly doubt those licenses are figured into the $3 million estimate.

Re:Encrypted IDE connector?

[Anonymous Coward]

Yes. There have been SCSI enclosures designed to do just that available for years. You can slap a standard tape drive in them, type a key in to the little display panel on the front, and boom -- encrypted tapes. They're not even terribly susceptible to theft of the entire hardware set, because the key (or at least part of it) is not hard-coded; it's stored in RAM and destroyed when the device is unplugged.

There are also in-line devices available if you want to connect to something you can't easily re-case. For example:
http://www.avax.com/paranoia2.html [avax.com]

SafeBoot? The poor bastards.

[jrronimo]

Part of my job involves working on laptops owned by an agency that uses SafeBoot to encrypt data on laptops. Gather children, let me tell you of SafeBoot...

1. SafeBoot is whole-disk encryption, but Windows-partitions-only. If you dual-boot or use Linux, there is no solution for you except "Please don't lose your laptop".
2. SafeBoot requires a login before you can boot Windows. If you get your password wrong, you must wait a certain amount of time before you can re-enter your passwords. At first, it's not that bad -- a few seconds. But each successive failure increases the time... eventually, you're waiting minutes.
3. SafeBoot encrypts the drive so that you can't access the drive from another machine -- which is what it's designed for, of course. Try being an IT guy in this scenario: You can't perform ANY troubleshooting that doesn't involve booting Windows. If Windows fails to boot, you have to have your hard-drive decrypted (which, for us happens off-site and is a MAJOR pain in the ass). I cannot boot off a Windows CD to use the recovery console to replace damaged registry files. I cannot do a 'repair' install. I could wipe the drive and re-install Windows...
4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...

There's a line between security and usability. When SafeBoot works, it appears great -- it doesn't impact system performance *that* much and it encrypts the contents of the entire drive, woo. But when something goes wrong, it becomes a big pain.

To be honest, though, I think the bigger problems for the work *I* run into with SafeBoot is the policies in place, rather than SafeBoot itself.

TrueCrypt

[bruno.fatia]

TrueCrypt is a very nice free solution and I've been using it for months, haven't had a single problem with it. I guess they were not aware of that software, maybe because they simply didn't look for ANY other products beside McMoney's..

Re:60,000 licenses?

[Chanc_Gorkon]

Clueless state officials would say I need a nic ecushy service contract. It's called indemnification. If they buy software, they THINK that they can absolve themselves of anything if they have that service contract. I keep telling my friends who work at the state that even though something is techically their fault, it's still the their responsibility to keep the data safe. This encryption software will fix diddly if people:

Share passwords
Share logins
Print stuff off on paper, take it home and lose it.

and more.

The security breach went farther than an intern

[scourfish]

It was due to general incompetence and cutting corners, and the lack of security on the entire OAKS project, which was virtually nonexistant. A shared drive was left open during project development, and it had been discovered many times that people who weren't involved in the project could log in download personal info. My cousin in law interviewed various employees and wrote a good article for the Cleveland Free times: http://www.freetimes.com/stories/15/28/system-failure [freetimes.com] .

Re:SafeBoot? The poor bastards.

[Locklin]

you forgot /tmp and the swap partition. You might want /var as well if there is sensitive data in the logs. Realistically, you probably need to prevent mounting of disks or USB drives as R/W. Than again, theres probably a few other vulnerable spots on a Unix computer.

Unix great, but it's not as simple as you put to secure it from threats that have physical access to the machine.

Re:60,000 licenses?

[H310iSe]

truecrypt [truecrypt.org].

sigh

Some clarifications

[RJurden]

First 2 factual clarifications on this story: The stolen "tape" was actually a "device" that has not been officially disclosed as to what type. Some speculate a laptop while others say it was a USB Flash Drive. Second, nearly 1 million people are estimated to be affected by the theft, not 130,000 as the story states.

Well....okay. I live in Ohio and therefore could be in the group of State of Ohio employees, state taxpayers, Ohio lottery winners, and others and since it regarded social security numbers bank account information and such, along with the fact that the theft happened in my hometown of Hilliard, I paid close attention to the story.

What ACTUALLY happened was an INTERN took the device home for whatever reason. Some speculate to have an off-site backup of the data. The intern left it in their car and their car was broken into and the device was stolen.

To clarify the cost: Ohio is providing, free of charge, 1 year of credit monitoring service to each Ohioan that was affected by the theft. That cost estimate is very high. Even at a bargain basement price of $2 per year per taxpayer, that would be about $2 million. The lowest price you can find online is $4.95 per MONTH and about $60 per year.

Further: The official that lost vacation time was not the intern that took the drive home. That official lost the time because they were responsible for ensuring the safety of the data to begin with. Although the intern is the person in possession of the data and should have verified its safety, they were following the procedure that official set up. The intern is not the only one responsible for the theft.