A portable storage device containing personal information on 64,467 workers employed by the state of Ohio was stolen from an intern's car on June 10, according to a statement from the office of Governor Ted Strickland. The storage device contained names and Social Security numbers.
"I have asked the Ohio Highway Patrol to lead the investigation to recover the device," Strickland said in his statement, posted on the state's government Web site. "Also, I have directed the Department of Administrative Services to secure the opportunity for state employees to access free identity theft prevention and protection services for one year."
The unidentified intern had been incorrectly authorized to take the copied data home with him as part of the state government's regular policies on backing up sensitive data.
Gov. Strickland signed an executive order ceasing that practice, ordered a review of agency procedures for backing up data, and said that he would "take appropriate disciplinary action when the facts are known."
Strickland emphasized that the device could not be accessed without special equipment.
"I don't mean to alarm people unnecessarily," Strickland said. "There's no reason to believe a breach of information has occurred." Nevertheless, Strickland authorized all affected employees to be provided with free credit monitoring for one year, at a cost to the state of $660,000. The state also set up a Web page and toll-free number for affected individuals to call and get information regarding the breach.
Thefts or losses of computer equipment that contain personal data remain one of the largest sources of data breaches. The data is often unencrypted and easily visible to anyone, sometimes even without password protection. Laptop computers, disks or CD-ROMS, and "thumb drives" all present serious vulnerabilities if they are not properly stored and maintained when filled with sensitive data.
Employees also often lack proper training in data security and protection for the files they're entrusted with, or circumvent safety measures to make their jobs easier.
Until recently, Ohio held the dubious honor of largest university-based data breach, caused when hackers broke into the networks of Ohio University and exposed the personal information of nearly 500,000 students, faculty, employees, and retirees. The breaches led to firings of multiple employees and increased scrutiny of the security vulnerabilities of college and university computer networks.