Records of retired police compromised in database

By Jon Craig

August 28, 2008

COLUMBUS - An electronic database of about 13,000 retired Ohio police officers - including the retirees' names, home addresses and Social Security numbers - was improperly taken by a former Ohio Police & Fire Pension Fund employee this month, officials confirmed Wednesday. Advertisement

While pension fund officials do not think anyone's personal information has been misused, they sent a letter Monday warning pension fund members about the security breach.

"No bank account information of any sort was breached or put out of place," said David Graham, pension fund spokesman. "We have every reason to believe that it was not done in any malicious attempt or unlawful purpose. However, we have taken action, contacting the former employee."

"This employee did not leave on bad terms" Aug. 15, Graham said, but it was later discovered he had e-mailed a large attachment to "an outside non-business account. ... I'm not at liberty to say who it was." The e-mail containing mailing lists was flagged because of its size, he said.

In a letter Monday, William J. Estabrook, the pension fund's executive director, wrote, "While I do not anticipate that this person will use this information for a malicious intent or unlawful purpose, the Board of Trustees and I felt that it is important for you to be aware of the incident so that you could monitor the situation and notify us of any improper use of your name, address or Social Security number. In the meantime, OP&F is taking recourse against the former employee and is taking steps to prevent the additional disclosure of this information."

Malvon W. Hoffman, 93, of Mount Washington, tipped The Enquirer off to the pension fund data breach.

Hoffman, a retired Cincinnati police captain, said that three weeks ago he asked the pension fund to change his direct deposit payment from his savings to his checking account, but changed it himself Wednesday just to make sure. Hoffman, who retired from the Cincinnati Police Department in 1986 after serving 43 years, said, "I wasn't going to let them get away with it."

Graham said the pension fund decided to alert its members first, before issuing a press statement or posting a public announcement on its internet Web site. "Our first concern was getting the letter out to members," he said.

Graham said the retirees affected include several hundred former police officers who were later re-employed as firefighters.

It's undecided whether the former pension fund employee faces any punishment or prosecution. "He had turned in his resignation and on the way out the door this happened," Graham said. "Our legal counsel is examining OP&F's options."

Graham said within 30 hours of the former pension fund employee's retirement, it was discovered that the personal data, in the form of a large e-mail attachment, was discovered sent by the former employee to a non-business address.

page ATTRITION feedback