Ohio Contractor Suspected in ‘Joe the Plumber’ Breach

The Ohio State Highway Patrol has identified a suspect in a criminal case involving illegal access to information in a state government database about Joseph Wurzelbacher, the plumber made famous by Sen. John McCain (R-Ariz.) during the Oct. 15 presidential debate.

Sgt. Tim Karwatske, a spokesman for the state highway patrol, today said that the investigation is focusing on a contractor working for the Ohio Department of Insurance in Columbus. A Hewlett-Packard computer belonging to the agency has been seized as evidence, Karwatske said.

He did not name the person because the investigation is still under way and no formal charges have been filed in the case, he said.

The criminal investigation came at the behest of Ohio State Attorney General Nancy Rogers’ office after it was discovered that someone had surreptitiously used an old test account created by the attorney general’s IT team to access Wurzelbacher’s records.

This is not the first time that reports of illegal access to records of high-profile individuals by insiders with privileged access have surfaced during this election. Earlier this year, U.S. Department of State officials disclosed that private contract employees working for the agency had repeatedly accessed passport records belonging to McCain, Sen. Barack Obama (D-Ill.) Sen. Hillary Clinton, (D-N.Y.) and others.

Jennifer Brindisi, a spokeswoman for the Ohio attorney general’s office today said that the test account used to access Wurzelbacher’s data was created four years ago during the development of Ohio’s Local Law Enforcement Information Sharing Network (OLLEISN). The test account was shared with several unidentified contractors when OLLEISN was being built, Brindisi said.

When the illegal use of the account was discovered, the matter was turned over the Highway Patrol, which launched a criminal investigation into the unauthorized access, Brindisi said. “No one from the Attorney General’s Office was involved in the unauthorized inquiry into Joe Wurzelbacher’s records,” Brindisi said via e-mail. The attorney general’s office has changed the security codes and taken other “appropriate measures” to tighten access to OLLEISN data, Brindisi said.

OLLESIN was created by the Ohio Association of Chiefs of Police as a tool to help local law enforcement agencies in the state share multi-jurisdictional information on suspects, wanted individuals, warrants, incident data and field interview notes, according to an official description of OLLESIN.

The data behind OLLESIN is part of the state attorney general’s Ohio Law Enforcement Gateway (OHLEG) Web portal and can be accessed either via a Web interface or through the Computer Aided Dispatch and Records Management Systems used by law enforcement officers. Users need individual accounts issued directly from the Rogers’ office to access the records and all access is logged.

The illegal access case is just one of four similar incidents involving Wurzelbacher’s information after the plumber shot into the news following McCain’s repeated use of his name to highlight a point about Obama’s tax plans. The data checks were initially uncovered by The Columbus Dispatch, which on Saturday reported that Wurzelbacher’s file at the Ohio Bureau of Motor Vehicles (BMV) had been accessed at least three times by unknown individuals using state government computers in the days immediately following the debate.

According to the paper, the information in the BMV computers was accessed from accounts assigned to at least two state government agencies in addition to the one in Rogers’ office.

In a follow-up report this morning, the paper noted that Ohio’s inspector general is also investigating why the director of the Ohio Department of Job and Family Services had approved a check of Wurzelbacher’s background in the agency’s child-support computer system.

It is not clear yet what exactly motivated these searches. McCain’s camp has accused Obama’s team of being somehow involved in the matter, while the latter’s campaign has flatly dismissed such suggestions.

Such incidents highlight the relative absence of proper access controls and measures for enforcing them, said Brian Cleary, a vice president of marketing at Aveksa, a Waltham, Mass.-based security vendor. Organizations that want to mitigate the risk of such incidents need to implement controls to ensure that privileged insiders have access to critical information only on an as-needed basis, he said.