A stolen backup tape containing personal data on Ohio state workers also contained the names and Social Security numbers of around 225,000 state residents. A mounting privacy brouhaha is building over the purloined tape, stolen on 10 June from the back of an unlocked intern's car. At first it seemed that the data contained on …
Each time I read this the same question comes to mind. They keep saying that "accessing the data requires specialized equipment and expertise". Does that mean that the data is encrypted, or does that mean that you have to own a tape drive and know how to use it?
What exactly is an unlocked intern?
From Ohio with love
This really pisses me off. As an Ohio resident, though, I am not surprised...this state has been stuck 20 years in the past since I moved here over a decade ago.
The state where botched elections tipped the US into a second term of GOP hell. And the home of Diebold election fraud, I mean electronic voting machines. Very appropriate. Good luck to them!
I know of one "accident" waiting to happen a couple of states down from there - I've warned them about it for two years and nothing has been done - it's a pisser because MY information is in there... bastards.
Re: Specialized Equipment
It is my understanding that 'Specialized Equipment' means:
A) Correct size/type of tape drive to use the tape
B) Correct software to read the tape.
When I went shopping a year ago for tape backup software that actually encrypted the data on the backup tape, I received lots of 'Gosh, that's a good idea, I'll pass that on.' and no 'Of course your sensitive data is protected by strong encryption'... And this was a couple of weeks after another backup tape was lost, with associated personal data.
Oh, and as an IT Professional and a State of Ohio employee (completely different area, however) (yes, my data IS on that damnable tape) I think that having any person (much less an intern) take home sensitive backup data is a stupid, shortsighted mistake. I think that anyone that thought this was a 'good' idea should be reassigned to a position they may be capable of performing (emptying the trash bin perhaps).
(But I doubt anyone at all will be held responsible.)
Given the state of affairs in Ohio IT, it probably means a 9-track and a computer that can deal in EBCDIC.
Every organization I've dealt with over the last 20 years, public and private, has used a trusted storage vendor for back ups. When I was at AMD, Iron Mountain came by twice a week to pick up our backups. We had a quarter's worth of weeklies and dailies and a years worth of monthlies there. Even the State of Texas has a secure storage methodology that they seem to follow. You would think that as much money as Ohio collects from its taxpayers that they could afford some secure storage.
One has to ask what type of tape was it?
A 9-track reel to reel tape?
A data cartridge?
Even if the tape wasn't encrypted, you'd need to know such things as blocking factors and the format of the tape.
Again since we don't know its hard to say.
The sad thing is that security is a cost that has a zero gain in terms of ROI so its usually an after thought.
Lets nuke Ohio its our only option I'm serious.
How long before we are told...
...that it was Al-Qaeda that done it.
Encryption & off-site storage
Well there is encryption on tapes available out there, but considering how Backup Exec has only just gained that functionality in the most recent version, and NetBackup only got it a little while ago (not sure about other vendors but I think it's the same deal with them), it's unlike they have it available on their setup unless they're very up to date with their software which seems unlikely.
As for off-site tapes, I wouldn't make a sweeping statement that taking tapes home is always bad but agree in this case it's rediculous. For a small company it's a reasonable approach, since paying an off-site storage company may not be viable, so keeping tapes at home can provide a measure of security in case of disaster, hell we've done it where I've worked before. But for a state to do it is just wrong. After all it's not even like they have to pay for it! You can't tell me a state only has one site after all, in which case why aren't they simply storing their tapes at another one of their locations. Plenty of other multiple location companies do it already after all, each site storing their tapes at another office in a different town/city. Nuke one location and the other still has the backup tapes to recover.
Since when ?
Since when is "taking the tape home" part of any serious standard security practice ? Who is the joker that wrote such nonsense, and who is the blubbering idiot that signed it off ?
I'm starting to think that an acceptable and effective standard security procedure would be to remove any and all access to the network from the "officials" in charge. At least like that, the only hazard to citizens' data would be fire - and that can be adequately handled with the proper fire extinguishing equipment.
What ? They only have water extinguishers ? In the server room ?
protection in law
Until there is a law that says that data belongs to the person it applies to (i.e. me) then there is not much incentive to protect data.
For instance if there was no question in law that a organisation must pay the costs of a data lose to me no matter how extensive, then such a mistake as this would cost millions in conpensation, maybe with that kind of a threat the company would protect its money by protecting your data.
Overall we really have been conned with data use laws, they are all in favour of the companies making money or otherwise using MY information yet they have little of no real responsibility to me to keep it safe.
not done for security.
Taking a backup offsite (usually IT top level types, but I have seen rotations like in Ohio all over the US) is not done for security. It's done to try to ensure that if a disaster strikes and the building/datacenter/servers are not there/functional in the morning you have only lost maybe a day worth of data.
There are companies that will come by and pick it up, but half the time they are about as secure as the intern’s car until they finish the route.
Small organizations and non profit ones most often seem to use the take home method from what I have seen.
This is a demonstration of a problem I have noticed in Ohio:
For some reason, many organizations in Ohio rely on the technically challenged (Picture old bitty bragging: "I'm computer illiterate ..hahaha...") to hire all the techs and other IT sorts. You can see where proper selection and bullshit-filtering would become a problem. Added to that is the reality that dawns on the true techs who actually make it through the senseless hiring process: the idiots who almost hired the bullshit-with-many-acronyms-resume/interview person over the truly experienced tech is also in-charge of the other important decisions, such as your budget, or even the tools you are 'allowed' to use to do your job, or if that flashy new software the bullshit-with-many-acronyms-sales-brochure is touting as the next best thing actually does anything...
you get the picture.