US state used car boot as offsite backup storage

Ohio State's administrative services department has been criticised for its flawed security practices, which for a number of years had allowed unencrypted backup tapes to be stored overnight in an employees car.

The State of Ohio's Office of the Inspector General last week released findings of its investigation into the backup tape containing details of 800,000 Ohio taxpayers, stolen from the boot of an intern's car.

The intern, Jared Ilovar, a 22-year-old, US$10.50-an-hour employee hired three months earlier, had followed procedures enshrined in the 2002 business continuity plan of Ohio's Department of Administrative Services, Office of Information Technology, Office of Budget and Management.

The Inspector General's report said: "Although the Ohio Administrative Knowledge System (OAKS) is a US$158 million IT project and the State of Ohio is a US$52 billion business enterprise, OAKS administrators had not encrypted the data on the stolen backup tape and had authorised a succession of interns to take the tapes home for the previous two years with only an admonition to store the tapes in a safe place."

The tapes were first reported stolen in June and it was initially thought that 64,000 employee's details had been lost. However, the investigation revealed that an earlier directive to remove sensitive information from the shared-drive had not been followed through.

The report blamed the Department's over-reliance on contractors for information management and outlined the organisation's flawed information security practices.

Craig Tamlin, Australian country manager for data storage vendor, Quantum, said it is quite common for the IT administrator or accountant to take the backup tape home at the end of a day to protect against disaster.

"Some mid-sized organisations try to protect against disaster without thinking about the repercussions of tapes being lost," he said.

He said secured transport services exist, but pointed out that a courier company in the US had been hijacked recently.

"That's why we talk about de-duplication, which allows you to send a small sliver of data -- only the changes made each day -- encrypted, over the wire," said Tamlin. "It's that versus risking physical transport."

Barry Pendle, director of Sydney-based business continuity consultancy, PendleCooper, said, "If you can afford it, get a commercial organisation to manage the transport and storage of backup tapes. But there's almost always an alternative.

One of our clients, a small real-estate agency, takes its backup tapes to a local bank vault to store overnight. It's a small overhead on an employee but it works well."

Pendle said testing business continuity plans on a regular basis is essential.

"Having someone to walk you through your disaster recovery practices means you don't have inappropriate assumptions made and all your options are fully explored," he said.