Laptop Containing Personal Data Of All 64,000 Ohio State Employees Stolen

A laptop containing the personal information of all 64,000 Ohio state employees and their dependents has been stolen from an employee’s car. Ironically, the laptop was taken home by the employee “as part of a security procedure.” Governor Ted Strickland is not taking the matter lightly. He has already issued Executive Order 013S, giving Ohio’s Chief Privacy Officer 75 days to develop an impressive-sounding “privacy impact assessment protocol.”

“As we are continuing an ongoing review of the data contained in the stolen device, we have determined that information pertaining to participants in the state’s pharmacy benefits management program, including information such as names, social security numbers, addresses and phone numbers of the employees and the names and social security numbers of their dependents, may be contained in the device,” Strickland said.

Strickland’s office has set up a site for Ohioans concerned about their data. The state will provide affected employees free credit monitoring for one year. — CAREY GREENBERG-BERGER

State Employees’ Personal Data Stolen [WDSU.com]
State Employee Identity Protection

Comments

Edit Your Comment

  1. faust1200 says:

    From what I read the data is at least encrypted. (for now)

  2. Notsusan says:

    I hope they are also budgeting for any necessary reimbursment and credit restoration assistance as part of this process. I mean, c’mon!!!

  3. timmus says:

    Oh, excellent.. a sensible computer security policy developed as a byproduct of damage control.

    The state ought to damn well provide credit monitoring for MORE than one year. That’s an insult.

  4. Notsusan says:

    Oh, I read the monitoring site. up to $5000 protection only. Not enough!! I guess they are hoping to cut a lot of fraud off at the pass…

  5. kenposan says:

    I live in Ohio. This is obviously big news here. What is “Funny” about this is that our illustrious former Governor ordered the IT guy at the state to do this (take the data home) in order to protect the data.

    What I can’t believe is that an IT guru would have thought this was a good idea, encrypted or not. “Sure, governor sir, we’ll take sensitive data home every night to ensure its protection.” There have got to be much, much better ways to safeguard this data. And then to turn the responsibility over to an intern???

    Heads will roll. It will just be interesting to see whose heads.

  6. banned says:

    Taking data home is the worst of all security, any IT person should know better. It’s like a bank manager taking home the cash in the vault in case the bank gets robbed, ridiculous. I’m not one for lawsuits but I see a huge one here. IDIOTS!! Not only should they be fired, but never be trusted with anything again. And why do companies insist on keeping all their eggs in one basket? I mean employees and their families data all in one place, just for something like this to happen? Again, IT should have known better.

  7. dextrone says:

    Hmmm, wow the US gov. is still in the stone age with IT thinking…maybe that’s why INDIA has a {proportionally} bigger IT industry.

  8. timmus says:

    It will just be interesting to see whose heads.

    Money flows uphill, the stink rolls downhill.

  9. cryrevolution says:

    I work commercial claims first notice of loss for an insurance company. And I am not quite sure, but I do believe I took a general liability claim for this incident. It had the same situation, employee took laptop home and it was stolen from the employee’s car. In the statement I took from the caller, which was a representative of the company that handles all of the

  10. cryrevolution says:

    ayy lets try this again…continued…

    employees information, he did not disclose the exact amount of info that was in the disk. Again, not sure if this was the same incident, but it did sound awfully familiar.

  11. UnStatusTheQuo says:

    This makes me wonder how much other critical information is stored on some cheap laptop rather than a datacenter, or at the very least, a server.

    Encryption will be enough to stop the average thief, but why is a risk like this even taken? Same crap as the government keeping nuclear secrets on laptops… it makes no sense at all and the risk always outweighs the reward.

  12. shdwsclan says:

    If anything, if its encrypted, nobody is even gonna bother decrypting it….since with current technology, it can take…about 10-100 years, depending on the cypher strength……

    Also, if it has the “call home” hardware, then they shouldnt have any trouble tracing it.

    Generally, the black guy that stole it, is gonna sell it cheap to some shop in the region, usually an indian or arab convinience store, and then its drive gets wiped completely, a fresh install of an illegal copy of windows xp, with some software like office and powerdvd and symantec corporate….and fench it for an inflated price on ebay…….hell %70 of all laptops that are on ebay are stolen…

  13. Grrrrrrr, now with two buns made of bacon. says:

    I just got a “Dear John” letter from the local hospital. It seems that my personal information (Name, address, SS#) along with those of 9300 others, were left “exposed” to the Internet for over a month by the company that handles online payment transactions (Verus, Inc).

    The letter basically said “Oops, sorry, you may be vulnerable to identity theft..better put a fraud alert letter in your credit file.” I don’t blame the hospital, since it was a third party vendor that caused the incident, but nobody is stepping up to the plate here to help.

    In a strange twist of fate, a week earlier my insurance company talked me into adding identity-theft protection to my homeowner’s policy. I might just need that.

    Off to submit my fraud alert letter now.

  14. Trai_Dep says:

    At this stage of the game, can’t we all agree to simply shoot anyone responsible for leaving this kind of information on a laptop that’s stolen? I’m talking about the policy-setters, not the poor dweebs ordered to do so (well, unless they can’t prove they wouldn’t have done it otherwise).

    It’s America, so it doesn’t have to be a head shot. Knee or groin would be fine.

  15. cde says:

    As a soon to be IT admin, there is a very simple way on having employees who need to work on the data afterhours to do so. Take one laptop, add a VPN client, plus an evdo card for anywhere access. All the convience of home work without ACTUALLY TAKING THE DATA HOME.

  16. ShadowFalls says:

    @cde:

    Exactly. Since you login with a username/password, you can just delete the username when a computer is stolen and create a new one and still conserve the same level of security. The evdo card though would be a luxury most government agencies can not afford, most have internet access at home anyways.

  17. cde says:

    @ShadowFalls: Well most government agencies can get a discount on (and afford one) evdo account. Second, with RSA rotating security token devices, it makes it ever harder for the data to be accessed. They would have to steal both the laptop and the person’s token.

  18. Ikki says:

    Hm.

    Ted Piaskowski of Butler, Ohio is turning 37 today. Happy birthday, man!

  19. Optimistic Prime says:

    What’s amazing is that it was “stolen” from an intern’s car. Why would an intern have this kind of info??? After all the times something like this has happened in the state, why would they still think it’s a great idea?

  20. shiznannigan says:

    Ok, I can’t be the only person wondering this…

    WHY DON’T THEY PUT THIS KIND OF STUFF ON DESKTOP COMPUTERS, ENCRYPTED AND CHAINED DOWN???

    Ahem. Ok, I’m done now.

  21. mac-phisto says:

    alright. opposing argument here: almost every disaster recovery plan i have seen requires an “offsite backup” for business continuity. basically, by taking the data offsite, it is “protected” in the event of a catastrophe that renders the current database inaccessible. for many public institutions, federal law requires recovery of business operations offsite in teh event of a disaster within 24 hours.

    sometimes this can be accomplished thru mirrors that exist in different locations, but not all institutions have that capability at every level. creating offsite backup or redundancy for the entire osu backbone in a data farm could be quite a difficult task. more likely than not, each department is responsible for maintaining individual business continuity plans (& backup procedures), which makes the process even more complicated.