Ohio adds 225,000 in stolen data case

6/21/2007
BY JIM PROVANCE
BLADE COLUMBUS BUREAU
DeWine
DeWine

COLUMBUS Officials have determined that the personal information of nearly a quarter of a million Ohio taxpayers and lottery winners is contained in a state computer data storage device that was stolen last week.

The device contains the names and Social Security numbers of 225,000 Ohioans who have not cashed state or school income tax refund checks issued since 2005, 602 Ohio Lottery winners who haven t cashed their checks, and 2,488 people who haven t cashed checks for previously unclaimed property.

The device also stores the names and bank account numbers of 650 to 1,000 people for whom electronic fund transfers had failed.

The state has expanded the list of affected people as it continues to review a twin of the stolen data storage device, which a 22-year-old college intern had been asked to take home as a security precaution.

By [Tuesday] evening there had not been a single case of anyone attempting to violate the privacy of those 20,000 who had already registered [for identity theft monitoring], so there is no indication at this point that there has been a breach of the device in a way that would access personal information, Gov. Ted Strickland said.

The state originally offered taxpayer-funded credit monitoring to 64,000 state employees whose payroll information was on the device.

The credit-monitoring offer has been extended to the new pool of people.

The state also plans to mail notification letters to all those believed to have been affected.

Jared Ilovar, a senior at the Columbus campus of the private DeVry University, was working in an office testing part of the state s new $158 million Ohio Administrative Knowledge System designed to consolidate the state s payroll, purchasing, and other accounting functions.

He was asked to take one of two data backups from the workplace home with him at the end of the day as part of a routine designed to keep one of the backups at a different location.

The device was reported stolen from his car, which was parked outside his apartment in the Columbus suburb of Hilliard late on the night of June 10 or the morning of June 11.

Mr. Strickland has changed the backup policy, which dated to 2002. The backup devices are now stored in separate state buildings.

All tax refund check information flows through the administrative knowledge system. But the administration has pointed out that the storage device was not an entire backup of the system, but rather from one work station testing part of the system.

The file containing the latest information was an outstanding check file, said Budget Director J. Pari Sabety.

We re finding out every day that thousands more Ohioans are affected by this breach, said Rep. Kevin DeWine (R., Fairborn), who is deputy chairman of the Ohio Republican Party. We are now 10 days out, and the delays are troubling.

The sooner they get all the facts and notify the people involved, the better, but every day there seems to be another major development, he said.

The Strickland administration does not seem to have this issue under control, he said.

In some cases, the files containing the information had been opened and examined by a state employee, but it was not until an expert within that particular department was brought in to decipher the file that the administration realized what it contained.

The Strickland administration has contended that even if the thieves are successful in technically accessing the data, they won t understand what they have.

This is not data that is easily comprehended, Mr. Strickland said.

The state had previously reported that the device, which it has declined to describe, contained all 64,467 state employees names and Social Security numbers; information on the employees nearly 76,000 dependents if enrolled in the state s prescription benefit program; banking information for school districts, local governments, and some vendors, and the names and case numbers of about 84,000 welfare recipients.

On Monday, the legislative Ohio Controlling Board approved the release of about $731,000 to provide identity theft monitoring for one year and to hire an outside computer expert to double-check the state s findings so far and to develop a policy to prevent a similar occurrence.

Because the state expects just a fraction of the potentially affected people to sign up, the Strickland administration has no plans at the moment to go back to the controlling board for more funds.

Contact Jim Provance at:jprovance@theblade.com,or 614-221-0496.