Consultant Completes Review of Loss of State Data Device

Ohio Department of Administrative Services
Ted Strickland, Governor
Hugh Quill, Director
News Release
Office of Communications

FOR IMMEDIATE RELEASE                  Media Contact: Ron Sylvester
Sept. 10, 2007                                            Phone: 614-728-8698
                                                                      Email: ron.sylvester@das.ohio.gov

Consultant Completes Review of Loss of State Data Device
(Columbus) – Department of Administrative Services Director Hugh Quill announced today that the third-party review of the recent loss of a state data device is complete and that the state government is taking steps to conclude its response.

“In its review, Interhack concludes that the state needs to ensure that data security is seen as an ongoing process,” Director Quill said. “I couldn’t agree more. The governor’s data security executive order calls for that approach and, at the governor’s direction, the administration is developing a plan to establish a state chief information security officer.”

Interhack, a Columbus-based information assurance and computer forensics company was contracted by the state in June to analyze the stolen backup tape to verify the state’s review of the tape and to conduct an independent review of data security at OAKS – the Ohio Administrative Knowledge System. In two reports finalized Monday morning, Interhack reported finding an additional data set with sensitive information on the tape and provided state officials its analysis of OAKS security.

“The completion of this review means that we have all available information to help us execute security measures and procedures that will help us prevent this sort of incident in the future,” Governor Ted Strickland said.

Highlights of Interhack’s reports:

Backup Tape – Additional sensitive information was discovered. This includes:

The names and social security numbers of 47,245 individuals

The names and social security numbers of 19,388 former state employees
The banking information of less than 100 businesses

The names and federal employee identification numbers of 40,088 additional businesses were also identified. The file was being used at the OAKS project to populate and test E-Controlling Board, a state of Ohio Controlling Board business application.

Quill said on Monday that the state will assist individuals and former employees included in the last file in the same manner as before. Letters from DAS, signed by Quill, will be sent on Wednesday. The letters will contain information regarding Debix enrollment and contact information for those with further questions.

Quill also said that Debix enrollment will not close until October 31 to allow adequate time for those who wish to initiate the service to do so.

"This was an unfortunate situation, but I believe we have put people first and done our best to provide a level of protection and comfort for those affected,” Quill said.

For more information and to look up whether an individual’s data was on the device, the public may go to www.ohio.gov/idprotect.

OAKS & Statewide Data Security – Interhack found that OAKS security has been heightened in the wake of the backup tape theft. The firm’s chief recommendation was for the state to create an independent chief information security officer. The governor has asked the Department of Administrative Services and the Office of Information Technology to prepare a proposal for Interhack’s recommendations.

Editors’ Note: – For a .pdf summary of the Interhack reports, please email Ron Sylvester, DAS, at ron.sylvester@das.state.oh.us.

[ Administrative Support | Communications | Employee Services ]
[ Finance | Legal Counsel | Legislative Affairs | IT Services ]

Site Map | Search | DAS Home Page | State Home Page | Contact DAS