The state of Connecticut is back in the news due to another security breach. You’ll remember that a state laptop was stolen earlier this month, and I remarked that laptop encryption by AlertBoot would have helped in this case.
The Connecticut government is not to blame in this particular instance, however. The state is getting ready to sue IT consulting firm Accenture for the theft of a backup tape containing records tied to state agency bank accounts. This case is actually tied to the Ohio backup-tape theft case earlier this year. You might remember that an Ohio state intern was instructed to take backup tapes home as part of an ill-advised (to say the least) compliance effort in order to satisfy policies requiring backups to be kept off-site.
So, how did Connecticut’s data end up in Ohio’s backup tape? Apparently, Accenture employees working under contract for the state of Connecticut copied the data without authorization to the now-stolen tape. The Ohio data breach was in June, but Connecticut government officials were not notified until September.
According to a statement by Accenture, the Ohio Inspector General has determined, in so many words, that retrieving the data stored on the stolen tapes is a complex procedure and that there’s a very low probability of extracting the data. While I was not able to find the IG’s statement and read it directly, I’m sure that his office took into consideration the usual suspects who want to use the data for illegal activities and will attempt to retrieve it. And based on what I’ve read, the incentive is certainly there. The information stored in the backup tapes include, according to Connecticut Gov. M. Jodi Rell’s press release:
…information on nearly every bank account held by [Connecticut] state agencies – including checking accounts, money market accounts, time deposit accounts, savings accounts, trust fund accounts, treasury and certificates of deposit – which could total billions of taxpayer dollars. The tape lists agency names, account numbers, bank names and types of accounts.Also, the Social Security numbers of 58 taxpayers have been compromised as well.
Why did Accenture have Ohio’s backup tapes? Turns out that Ohio hired Accenture to develop a payroll and inventory system similar to the one developed for Connecticut. The problem with the development of any kind of system is that it must be tested with real data. Data is data is data…but data is stored in different ways, and a programmer must ensure that the system they’re creating will be able to read and use existing data. My guess is that somebody at Accenture picked up the wrong tape and recorded data for testing purposes. This is assuming that the two systems were in development at the same time; otherwise, it opens up a whole can of worm such as, “why was Accenture holding on to this information after finishing up Connecticut’s system?” And I can’t think of any legitimate reason for that.