Friday, June 22, 2007

Yet more identity loss, this time in Ohio

It seems like open season for identity loss. Inspite of the fact that trends for identity loss, and consequent financial fraud, are on the way up, these incidents keep on happening. And it seems so simple in many cases, almost like inviting thiefs to come and do such things. In the recent case, a computer tape, that held backup information for 64,00 Ohio state employees, as well as names and Social Security numbers for another 225,000 taxpayers, was stolen from the unlocked car of an intern. And why was this in the intern's car? Well, because taking a backup copy of the tape was part of security procedures for safety of the information. In this case, safety would have been to do with the data getting lost because of any data errors or computer malfunction, so seems like a good thing to do, except for the fact that the tape itself was kept in a physically unsafe location.
For data holding names and security service numbers, there needs to be a proper safety analysis and a proper plan, something that does not seem to have been done in this case. Otherwise, how could it have been so simple?


A missing computer backup tape containing personal information on state employees also holds the names and Social Security numbers of 225,000 taxpayers, Gov. Ted Strickland said. The tape, stolen last week from a state intern's car, was previously revealed to hold the names and Social Security numbers of all 64,000 state employees, as well as personal data for tens of thousands of others, including Ohio's 84,000 welfare recipients.
The administration has maintained it does not believe the information has been accessed because it would require specific hardware, software and expertise. But data security experts said the unencrypted tape, described by police as roughly 4 inches square and an inch thick, could be breached by someone with computer expertise, time and money.


And this is the other problem. When such indidents happen, many times the administration involved tries to minimize the problems associated with such thefts, by claiming that there is no record that anybody has tried to use this stolen information, or that the information is contained such that it's not easy to steal. All these are not correct responses, certainly not geared to bring confidence.
It is far better to invest the required time and money to bring in systematic data protection policies, for the cost of not taking such measures and then trying to take corrective measures is far more. This is not the first time that we are hearing of such theft, and it is unlikely that this will be the last time.
This is even more problematic in the current case because a number of people who are affected are on welfare, and will have no idea about what to do, or what the implications of such moves are.

No comments: