IG Concludes Trained Orangutans Could've Handled Data Theft Better

I've held my tongue on this one. No more.

The Ohio Inspector General has been investigating the theft of the missing data tape that's led to the $2.2 million thorn in Governor Strickland's side for the past month. Today the IG released the report. First, the upside; the report concludes:

“If there is a silver lining to be found in this matter, it is that despite the many poor decisions that were made, there appears to be little risk to state employees, taxpayers and vendors. Based on our interviews with data-security experts, the technical complexity of retrieving the data makes the possibility that it will be used for criminal purposes remote.”

Well Yippee! F'in Hooray! Hooray! [hands flailing in the air] Hooray! Everything's All Better!!!!
Wrong.

The words of the very report stress the idiocy involved in all of this...

The theft, which occurred in the Columbus suburb of Hilliard on the evening of June 10, 2007, or early the following morning, exposed a questionable but longstanding practice in which OAKS supervisors, contractors and, eventually, college interns took backup tapes to their homes on a daily basis. The instructions, reduced to policy in an OAKS Business Continuity Plan published April 30, 2002, were to return the tapes on the following workday.

Numerous studies published by Gartner Inc. and other leading authorities on information technology security best practices recommend that administrators of large IT systems encrypt sensitive portable data maintained on backup tapes and laptops. They also advise
that backup tapes be treated like cash and either taken off-site via a physically secure method of transportation such as armored car or by secure site-to-site electronic transmission.

Although OAKS is a $158 million IT project and the State of Ohio is a $52 billion business enterprise, OAKS administrators had not encrypted the data on the stolen backup tape and had authorized a succession of interns to take the tapes home for the
previous two years with only an admonition to store the tapes in a safe place. For approximately six weeks before the theft, that task had fallen on the OAKS intern with the least seniority – Jared Ilovar, a 22-year-old, $10.50-an-hour employee hired on March 5, 2007. Ilovar received this assignment not from an OAKS supervisor, but from a fellow intern who had that responsibility before him.

This practice violates not only basic tenets of IT security but common sense as well. Nevertheless, we discovered that the same practice was in place at the state Office of Budget and Management (“OBM”) – albeit not involving the use of interns as couriers. Until the theft of the OAKS backup tape last month, two OBM network administrators had shared the duty of taking home OBM backup tapes since 1999. They no longer do so.

The tape was stolen the night of June 10th, or early in the AM the 11th. State officials didn't tell the Hilliard police that the tape contained confidential, important info until June 12th. In the interim, the Hilliard police considered the theft no big deal. Furthermore, the State Troopers weren't informed of the theft until June 14th.

OMG, WTF!!!!!

Well, in response OAKS Project Manager David White resigned after overwhelming evidence of his failure to report the contents of the tape to the proper authorities immediately. Also, OMB terminated OAKS consulting contracts for two other project supervisors. Additionally, evaluations, security, and procedures are being undertaken so this never, ever, ever happens again.

As for little Jared Illovar, the 22-year old intern at the center of all of this, the State of Ohio fired his ass after he refused to voluntarily resign. Good, any kid that leaves a data tape FULL OF HUNDREDS OF THOUSANDS OF SOCIAL SECURITY NUMBERS in his vehicle over night deserves to be delegated to a position that requires less thought than an orangutan is capable. To the best of my knowledge, no positions like that exist in the State of Ohio government.

The report stressed no likely damage was done to any individual's privacy. However, the costs to the state, and the damage done to our Democratic officeholders reputations over this boo boo are unacceptable. Hopefully the public will see this for what it was - a poorly crafted policy that had existed under both Democratic and Republican Governors, and poor judgment on behalf of multiple staffers.

This policy of removing a data tape to the home of a staffer has been in place since 1999, well into the Taft Administration. We're lucky a theft never occurred under the former Governor's watch. However, I elected Ted Strickland to replace exactly these types of Republican oversights. From the Republicans corruption, to poorly managed government, I voted Ted into the mansion to clean things up. Now I understand turning Ohio around is a long process...we've had 16 years where management for the state of Ohio slowly slid down into a shit fest city. It takes a while to get that back on track. But simply taking the Taft policies without evaluating them with a little common sense is simply not acceptable. Hopefully plenty of other policies entirely unrelated to data management are under review right now too.

That said, I've appreciated the candor and disclosure Governor Strickland has given to the public while updating us on the contents of the tape. That's been the one gem in this entire shit storm.