Compact disks with the private data of all the registered voters in the state of Ohio have been distributed to political campaign operations gearing up for spring primary election races. The incident has been put down to human error after a clerk apparently failed to check exactly what information was on the disks. According to experts at InfoWatch, however, there is no excuse for organizations not managing risks such as human error and confidential data leaks.
Social Security numbers and other private records of several million registered voters from the U.S. state of Ohio were copied to compact disks which were handed out to 20 political campaign operations in recent months as they geared up for spring primary election races, reports ComputerWorld.
The incident was only discovered a few days after it occurred when a member of one campaign group phoned the state authorities asking why they had sent a disk containing the private details of local residents.
An agreement has since been reached between the state authorities and the political campaign operations for the return of the disks. The campaign groups will then receive new disks minus the Social Security numbers and other private data.
There are 7.7 million registered voters in Ohio, though there is no evidence to suggest that the Social Security numbers of absolutely all of them were on the disks. The disks also contained people’s names, addresses and those elections that they had participated in since 2002.
For many years, Ohio voter registration forms included a space where the voter could choose to include a Social Security number, but it was optional. Earlier this year, the forms were changed to include only the last four digits of the number to better protect a voter’s private information. It appears the mistake that allowed whole Social Security numbers to appear on the disks was down to workers at the state electoral commission failing to check the content of the disks.
It is the second time in recent weeks that human error by state employees has been linked to data security breaches in Ohio. In March a local resident filed a lawsuit against the state authorities after he found his Social Security number had been on public view for a number of years on a state Web site. It was later discovered that people’s credit card numbers, bank account details and other sensitive information were also accessible on the site.
“Human error is impossible to eradicate completely, though that is no excuse for ignoring it. It should be managed just like all other IT security risks. For example, if a comprehensive system of control over all confidential information is installed in an organization, then it substantially reduces the number of incidents where an employee accidentally posts private records on the Internet or copies them to a disk. In the same way, major leaks of sensitive data will also be averted because those specialized products simply won’t allow private details to be copied or transferred to external media. The number of sporadic leaks will also be minimized,” explains Denis Zenkin, marketing Director at InfoWatch.
Source: ComputerWorld