Ohio Plans To Encrypt After Data Breach

Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."

60,000 licenses?

[Knara]

Couldn't they have found an OSS solution that would have, y'know, saved the state an assload of money? I'm not an "OSS can do everything commercial software can, but better!" zealot, but that's a big bit of pocket change to be throwin' out for a solution, there.

$3 million?

[warrior_s]

Okay, I am having difficulty in understanding $3 million figure... So they bought 60,000 licenses. If we consider the complete $3 million towards licenses, it will be $500 per license, which I think is way too much. However I could not find the cost of the encryption software anywhere on the web (anyone with links????)

anyone care to explain approximately from where $3 million figure came?

A week's vacation?

[Jester998]

the state docked a government official about a week of future vacation time for not ensuring that the data would be protected

I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.

This guy got dinged a whopping 1 week of vacation time. That's not even '1 week suspended without pay'. It's the equivalent of having to stay in detention after school.

I need to move over to the public sector or something.

WTF

[zappepcs]

I saw four horrifying words...

Intern, backup tape, car

encryption is probably low on the list of security concerns here... just WOW

I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.

Those 4 words should never be needed in the same sentence. Process is just as important as encryption. That should have been 'backup tape', security company, armored transport, iron mountain in the sentence... oh wait, then there would be no story.

They led the horse to water...

[Darth Muffin]

... but can't make it drink. Encryption is only a partial solution. You still need to keep your backup tapes secure (they won't be encrypted by this software, but most higher end backup software will), and you need to keep people from copying files to USB sticks or burning to CD.

Re:OpenBSD is the answer.

[QuickFox]

Why not?

Re:Wonder if McAfee payed them

[a_nonamiss]

As an IT professional in Ohio who works in a field very close in both location and function to what this company did, I just want to say that this whole thing has been blown so far out of proportion it's not even funny. Yes, there was some sloppiness going on. Yes, someone, maybe a few people, deserved to lose their jobs over this. However, the amount of time and money that has been spent on this is so far overboard it's ridiculous.

No actual loss has ever been reported as a result of this breach. The tape that was stolen was in a relatively obscure tape format. (I don't believe it's ever been reported, but I work with similar systems, and I would guess it's probably 5 1/4 inch format, likely not even in ASCII. Most of the data backups we get are EBCDIC.) It was unencrypted, but in order for someone to get anything off this, they would need the correct hardware, the correct software and they'd really need to know that they were looking for something. Add to that it wasn't reported until weeks after the loss, by which time the thug who broke into the car had log since ditched the useless cassette tape that he stole.

Meanwhile, Ohio taxpayers are spending millions of dollars doing credit checks on every person whose information was potentially on that tape.

I'm not advocating that we forgo due diligence. I take great care in making sure that all backups from my company are encrypted. I hound everyone in the office to make sure their passwords are secure. However, the fact that we're still speding money on this makes me irate. If there was any indication whatsoever that this data was compromised, I'd be OK, but there's a 99% chance that this tape is in a landfill in southern Columbus right now.

Re:60,000 licenses?

[Anonymous Coward]

No No NO NO NO.

I love TrueCrypt. I really do. But it is *NOT* a full disk encryption product. It relies on the USER to do the work. If I could rely on the USER to actually keep their data encrypted, we wouldn't be in this mess.