Unencrypted Backups Risky and Costly

June 18, 2007: The Ohio State Government in the US was in damage control last week when an unknown storage device containing backup data and personal details of all the state’s employees was stolen from a 22 year-old intern’s car.

The government scrambled to decipher exactly what data went missing, scanning 338,634 files in 24,333 files in its archive over four days. Personal data such as the names and social security numbers of all 64,467 state employees was found to have been potentially been exposed.

It has not divulged what kind of storage device was used in the backup for fear of helping the thieves, but the Ohio Governor Ted Strickland did emphasise that the data would be “very difficult for a thief to access.”

State procedure requires two data backups to be kept, the first is held at a worksite while the second is given to a State employee for safekeeping on a rotating roster basis. Exactly how an intern was deemed an acceptable guardian for the data is unknown, however, Governor Strickland says that this will no longer be the case, with the second copy now to be held at another offsite location inside a locked, fireproof container according to The Associated Press.

It is unclear whether the stolen data was encrypted or not, however, it is worth noting that as encryption was not mentioned once in the Governor’s statement or other reports, it is likely that none was employed.

Strickland says the Government has directed the Department of Administrative Services to offer state employees access to free identity theft prevention and protection services for one year, and all are currently being notified by email and post of the breach. A dedicated website has been set up to provide ongoing information to those affected.

While breaches like this are becoming alarmingly frequent, in this case the backup procedure and apparent lack of encryption highlight the kinds of unnecessary risks that are created by small gaps in security.

Comment on this story