Department of Administrative Services Data Breach (2007)

A computer forensics expert has uncovered an additional 106,821 pieces of personal data on a copy of a stolen backup tape removed from the car of an intern responsible for carrying data used by the Ohio state government's computer systems. The finding, released in two reports on Monday by Interhack Corp., arrives three months after the incident occurred. In its report, Columbus, Ohio-based Interhack said the missing backup tape featured newly discovered names and Social Security numbers of 47,245 individuals; the names and Social Security numbers of 19,388 former state employees; and banking information on less than 100 businesses, according to Ron Sylvester, a spokesman for the Ohio Department of Administrative Services. Additionally, the names and federal employee identification numbers of 40,088 businesses were unearthed by Interhack. Information from that file was being used by the state's Ohio Administrative Knowledge System (OAKS) to help populate and test E-Controlling Board, a state Controlling Board business application. Following Interhack's analysis, Sylvester confirmed that in total more than 1.3 million pieces of personal data were stored on the stolen backup tape. The groups affected include state taxpayers, Medicaid providers, payroll vendors, dependents, students and state government employees. The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape. At the time of its theft, the missing tape was being used to carry information from the government's office tower to an off-site location, where roughly 100 state workers and 100 Accenture employees are responsible for testing, configuring code and customizing PeopleSoft applications. That effort is part of Ohio's massive $158 million OAKS ERP project. "The particular drive that this tape was used to back up... was the sort of the testbed drive, so a lot of data was real and historical data being used to test different parts of the OAKS system -- everything from payroll functionality to accounting functionality," said Sylvester. "That's why there were a lot of these files on here, because they were testing things like cutting purchase orders, paying mileage checks -- all the business processes that the current legacy systems use -- and making sure the way OAKS was being configured would work." Since it was a temporary site, a network administrator from the state's previous administration had decided as part of his business continuity plan that he would take backup tapes home every night. However, Sylvester said over time that practice had "devolved" to include interns taking the tapes home.