Huge data theft in Ohio
Anybody who works for Ohio or who receives benefits in Ohio is at risk of identity theft:
The names and Social Security numbers of all 64,000 Ohio state employees were stolen last weekend from a state agency intern who left a backup data storage device in his car, Gov. Ted Strickland said.
An additional review of data revealed that the storage device also held information on 53,797 participants enrolled in the state's pharmacy benefits management program, as well as names and Social Security numbers of about 75,532 dependents, the governor's office confirmed Saturday.
This was not merely a screw-up in the custody of information; this was a fundamental screw-up in state policy:
Under protocol in place since 2002, a first backup storage device is kept at a temporary work site for a state office along with the computer system that holds all the employee information, and a second backup device is given to employees on a rotating basis to take home for safekeeping, officials said.
State officials still don't get it, though:
"I think it's not that big of a deal," [said Dawn Rice, an employee in the state Senate clerk's office]. "The person who stole it would really have to know what he's doing."
That absurd statement springs from the fact that the data was encrypted; depending on the type of encryption used, it might be possible to break it fairly easily. Her confidence in the data's security is wildly misplaced.
Security is a human process, not a technology, and it's time we learned that. Effective security is about teaching people what is secure and what isn't, which procedures are secure and which aren't. It's about risk assessment and mitigation. These are human processes, not technological platforms. The weakest link in any security chain is the human one.