May 29, 2016


Computer expert probing theft of state records

Matt Reed
The Associated Press 
COLUMBUS — The state has hired a computer security expert who specializes in civil and criminal cases to determine the likelihood of someone getting access to the data on a stolen backup storage device, Gov. Ted Strickland said Sunday.
Matthew Curtin, 34, today will begin reviewing what’s already known is on the device, whose theft was revealed Friday.
Also on Sunday, Strickland said the device contained the names and case numbers of the state’s 84,000 welfare recipients, who face “a remote threat of identity theft,” and the names and federal tax identification number of vendors that receive payroll deduction payments from the state — about 1,200 records. Sixteen of those records contain banking information, he said.
Strickland said the Ohio Department of Commerce would send letters  today to banks, credit unions and other financial institutions alerting them that customers’ information may have been compromised.
Previously, it was revealed the device contained the names and Social Security numbers of all 64,000 state employees. It also contained bank account information about the state’s school districts and Medicaid providers and information about 53,797 people enrolled in the state’s pharmacy benefits management program and the names and Social Security numbers of about 75,532 dependents.
Strickland again said that he has no reason to believe the information has been compromised because getting it requires special equipment and expertise. He also has issued an executive order to change the procedures for handling state data. Strickland and Curtin said the analysis of what’s on the device should be finished today.
“The analysis of the data is nearly complete, but we have several additional files that are so complex that it will take some time,” Strickland said at a Statehouse news conference on Sunday — his third in three days.
Curtin founded Interhack Corp. in Columbus 10 years ago. “We make the bad guys give up,” the company says on its Web site. Curtin said he would have a better idea on how someone could get access to information on the device on Monday.
“We’ve just, just gotten started,” Curtin said Sunday. “By tomorrow, I’ll have some insight and have my hands around it.”
The device — listed in a police report from suburban Hilliard as being worth $15 — was reported stolen along with a $200 radar detector, out of the car of 22-year-old Jared Ilovar, a college senior making $10.50 an hour in his state job. Ilovar is an intern with the Office of Management and Budget assigned to work on the state’s $158 million payroll and accounting system. Telephone and e-mail messages seeking comment were left for Ilovar.
Strickland said Ilovar mistakenly left the device in a vehicle parked outside an apartment when it was supposed to be taken into his home as part of a protocol in place since 2002.
Sol Bermann, chief privacy officer at state Office of Information Technology, called Curtin one of the country’s foremost data security experts.
“It’s a third-party validation of our work. It’s important that someone double-checks for us so that nothing is missed.”
The state is expected to pay $50,000 to Curtin, who said he doesn’t know how long his investigation will take.