Data Breach "Unfathomable," Says Connecticut Governor

"The tape contains information on nearly every bank account held by state agencies ...which could total billions of taxpayer dollars."

by / September 17, 2007

On Sunday, Governor M. Jodi Rell announced that a review of data removed from Connecticut's CORE-CT computer system by Accenture -- a consultant to the Office of the State Comptroller and other state agencies -- shows an "unfathomable" violation of information security, including nearly all state government bank accounts.

The information was contained on a backup computer tape stolen in Ohio in June. CORE-CT is the computer system that performs all the state's payroll, personnel, purchasing, accounting, inventory and other functions. The stolen tape was being used in the development of a similar state government information system in Ohio.

Rell directed staff from the Department of Information Technology (DOIT) and the Department of Administrative Services (DAS) to conduct a full-scale review of the tape after ordering officials from Accenture to deliver a copy of the data to DOIT by noon on Saturday.

The governor directed Accenture to deliver a copy of the data to DOIT when the Office of the State Comptroller -- which has possessed a copy of the tape for several days -- failed to make a copy available despite repeated requests.

"The review on Saturday shows an unfathomable breach," Rell said. "The tape contains information on nearly every bank account held by state agencies -- including checking accounts, money market accounts, time deposit accounts, savings accounts, trust fund accounts, treasury and certificates of deposit -- which could total billions of taxpayer dollars. The tape lists agency names, account numbers, bank names and types of accounts.

"The analysis also found the account numbers of numerous state procurement cards -- known as 'P-Cards' -- most of which were fortunately out of date," the governor said. "The tape contains the names and Social Security numbers of dozens of Connecticut taxpayers, as the Comptroller's office revealed late Friday afternoon. And it contains numerous detailed documents from the development and implementation of the CORE-CT project."

The information dates to 2003, but most of the bank accounts are believed to be active, Rell added. While not all account information could be reviewed on Saturday, of the six DAS accounts listed, for example, all were still active.

"At best, it's perplexing that the Comptroller and the Attorney General did not fully inform my office, agency heads or the commissioners on the CORE-CT Steering Committee about the bank data breach," the governor said. "It was known that some P-Card information was on the tape, but the depth and breadth of the bank account data breached is shocking. In essence the state's banking information has been laid bare.

"While I appreciate that the Comptroller and the Attorney General acted quickly to protect the 57 individual taxpayers whose Social Security information was contained on the tape, at least as much concern should have been shown for the more than 1.6 million individual and corporate taxpayers who pay the costs of state government and who would have been shortchanged if state agency bank accounts were illegally accessed," Rell said.

The active P-Cards listed on the tape have all been changed to prevent fraudulent use. Rell has ordered officials from DAS and the Office of Policy and Management (OPM) to meet with the financial directors of every state agency Monday morning to determine which of the bank accounts listed on the tape are active and to take immediate action to change or protect those accounts.

The governor has also ordered OPM and DAS to review all agency accounts since June to determine whether there has been any tampering or unauthorized access.

Rell said Accenture will be held responsible for any costs related to the actions she is ordering. She also directed OPM, DOIT and DAS to meet Monday and review the state's contract with Accenture to determine whether the company had a right to use any information from the CORE-CT system or the planning documents on any other project, such as the one in Ohio.

The CORE-CT information included planning documents, approach documents, data mapping templates, configuration documents, design documents, test scripts and data conversion and load programs. The tape also contained agency property value information.

If the review shows Accenture was permitted under the contract to use any of the information, Rell said she plans to seek a change in the contract terms to prohibit it in the future.