Ohio Governor Ted Strickland announced Friday that the names and social security numbers of all 64,467 state employees were contained on a computer back-up device that was stolen on Sunday, June 11, but also emphasized that the data would be very difficult for a thief to access.
"I have asked the Ohio Highway Patrol to lead the investigation to recover the device," Strickland said. "Also, I have directed the Department of Administrative Services to secure the opportunity for state employees to access free identity theft prevention and protection services for one year."
It was determined the device contained personal employee information after reviewing 338,634 files in 24,333 folders over four days.
Tuesday it appeared that some of those 338,634 files might have contained names and social security numbers. After two days of review, it was determined that the names and social security numbers for all state employees were on the device.
DAS Director Hugh Quill notified state employees Friday morning via e-mail. The governor also said a letter will be sent to each employee's home, and a Web site went live to provide ongoing information for employees and the public regarding the situation.
Sunday, Strickland announced that he will seek to engage Matthew Curtin, a nationally known expert on information technology, security and data forensics, to assist with the state's ongoing review of the information in the stolen data device. Curtin is the founder of a Columbus-based firm, Interhack, dedicated to computer trustworthiness and information protection.
"Our review of the information in the stolen data device will continue until we have determined, with the assistance of this nationally recognized data forensic expert, that we have identified every piece of sensitive information contained in the device," Strickland said. "We will continue to inform the public as new information becomes available."
The following information was contained on the stolen medium:
As of Sunday, the 17th, it was made known that the data also included:
Because the data was contained on a specialized medium, Strickland said it is highly unlikely that the data could be accessed by someone without the knowledge of how to do so.
The theft of the device happened when a state intern's car was broken into. Electronic data management standards at the intern's worksite call for one set of backup data to be stored off-site and the intern had been inappropriately designated to store the data at his home.
The governor has ordered the cessation of this data management practice, a review of the events that led to the data being compromised, and will take appropriate disciplinary action when the facts are known.
The governor has directed by executive order that state information technology managers immediately review, and if necessary change, the procedures for handling back up information to ensure that information is secure at all times.
"I urge all state employees to visit the State Employee Identity Protection Web site," said Strickland, "to learn how to sign up for free identity theft prevention services."