computers-shutterstock_151242422
Photo via Shutterstock

Medical records. Social Security Numbers. Employee performance evaluations.

Those were just some of the confidential records found on old computers that several agencies in Washington state were sending to surplus, violating policies for properly wiping computer hard drives, according to a new report from the Auditor’s Office.

“With the right knowledge of data retrieval, the confidential information we found could be obtained in a few minutes,” the report noted. “Had these computers been sold, the presence of confidential information on their hard drives posed a risk of harm to private individuals and the state.”

The report estimates that roughly nine percent of all computers, or 109 devices, that were set to be sent to surplus or destroyed contained confidential information. In one instance, a computer had its operating system still installed, while in another a machine contained dozens of inappropriate photos.

“We saw some types of confidential data recur more frequently during our tests, including employee performance evaluations and personnel information, user names and passwords, and network access instructions,” the report said.

confidentialdata3In some instances, computers were sent to surplus before technicians were able to remove confidential data, while in others staffers improperly surmised that if a computer did not turn on that the hard drive was no longer containing sensitive material, when in fact it was.

The Auditor’s Office analyzed computers at 13 agencies, and found that these four — Department of Ecology; Department of Health; Department of Labor & Industries; Department of Social and Health Services — and did not follow proper protocols for wiping the machines.

The state sent about 20,000 old computers over the past two years, with some of the computers distributed to non-profits, school districts and other organizations. Others are sold to the public at a surplus store in Tumwater or over the Internet.

State laws require that all machines be properly wiped of confidential information prior to sale or distribution, and that appears to be where the breakdown occurred.

Officials with the state have reacted promptly to the report, titled “Safe Data Disposal – Protecting Confidential Information.” Each of the departments have instituted new standards to make sure old computers are not sent to surplus with confidential data.

“The state is committed to protecting confidential data and eliminating or preventing security vulnerabilities. While the state acted quickly to resolve this issue, the SAO audit reflects the need to continually review each agency’s data removal processes. This audit is an excellent example of government working together to discover, scope and resolve a problem,” wrote David Schumacher, director of financial management, and Michael Cockrill, chief information officer, in a letter to the Auditor’s Office dated April 8th.

You can read the full report here.

Photo via Shutterstock.

Comments

  • Sam Cheyne

    I hate to say this, but computers have been in use for many many years. As an Information Protection Specialist in my past, with being a Certified Protection Professional; and many other certifications along with having a Master’s Degree in Computer Science, I must say that the Information Technical people with the State and even our U.S. Government are totally ignorant when it comes to protecting our sensitive information.
    Wake up people! Over-looking a darned important task of not wiping (preferable destroying the media on a CD, DVD, Hard Disk, etc., is an out right crime. In fact it is called “Gross Negligence.” I have seen this over-looked in businesses as well. The CIO and CSO should be held responsible.
    Information Protection is at the very top of Sensitive Information. It once again demonstrates that the Information Protection education is not be emphasized! Let’s get on board CIO/CSOs and employees…it might even be your own information…Sam Cheyne

Job Listings on GeekWork