Here is a full rewrite of our post:
State Auditor Troy Kelley released details of a six-week audit of surplus computers Thursday that found four of 13 state agencies examined were poised to sell computers that still had confidential data on them. This included Social Security numbers, tax information and in one case even a psychiatric evaluation.
The audit report, which sheds light on the state’s yearly sale of about 10,000 surplus computers, looked at a sample of 177 computers slated for sale during July and August last year. Of the total, 11 had information that would have been unlawful to disclose.
You can read the full report here.
Kelley and senior performance auditor Todd Larson told reporters during an Olympia news conference that sales were immediately quarantined at the Department of Enterprise Services’ surplus warehouse in Tumwater after the failures to erase data were discovered.
And Kelley questioned whether it now makes sense to sell any computers with hard drives in them.
“If we are getting very little money for these computers and we have high risk, then I think we have to stop,” he said.
The Department of Enterprise Services collected $411,600 for sales of all surplus computers and related equipment in 2013, using it to cover expenses and turning some portion of it back to agencies, according to spokeswoman Jennifer Reynolds.
Auditors said it was not hard to find some of the data. Overall, auditors found sensitive information on five different computers from the Department of Social and Health Services, three at Labor and Industries, two at Ecology and one at the Department of Health.
The DSHS data included a client's extensive medical history chart, an application for drug treatment, a psychiatric evaluation report, a welfare application, personal bank and credit information, and an IRS form with Social Security numbers.
Three computers from Labor and Industries had Social Security numbers, dates of birth, a doctor's report with Social Security numbers, and tax return forms, while one Department of Health computer had instructions for getting access to a server with password and log-on information. Two Department of Ecology computers had information about employees including one with a Social Security number.
Auditors said they had no evidence of personal data having been misused by buyers of computers. But they said they believe computers sold over the years contained sensitive data that was supposed to have been removed first.
In most cases state agencies had data removal policies and software to wipe computer drives clean of all data. But state Chief Information Officer Michael Cockrill and Kelley said staffers were not following policies or had used the software but failed to verify that the computer hard drives had been erased.
Four agencies – DSHS, Transportation, Parks and Recreation, and the state Senate – did not have documented procedures in place. And 10 – including Ecology, Fish and Wildife, Health, Labor and Industries, Natural Resources, DSHS, Transportation, Insurance Commissioner, Parks and the Senate – did not follow recommended practices for verifying data on hard drives had been destroyed.
The audit did single out two agencies – Employment Security and Enterprise Services – for following best practices set by the National Institute of Standards and Technology to verify data removal from hard drives.
Auditors said their findings mirrored what other states have found when analyzing surplus computer sales.
Cockrill said his agency is reviewing options going forward and that it is possible the state would completely stop sales of computers that have old hard drives in them. He said in a press conference that “mistakes were made.” But he did not pinpoint who was to blame for the lapse.
Kelley credited Cockrill’s Office of the Chief Information Officer for taking steps since last summer to ensure that all agencies adopt policies for erasing sensitive data from computer hard drives before they are sold. Cockrill said the auditor held back his findings to give his OCIO time to close the security hole.
Cockrill and auditors also said that since the security problem was discovered Enterprise Services has begun sending all surplus computers it receives from agencies to a Computers for Kids program. A Department of Corrections employee at the Airway Heights prison near Spokane then wipes the computers clean to achieve what the agency described as Department of Defense standards.
The computers are later refurbished by inmates - then sold at a discount to public schools in Washington.
Several agencies reported taking corrective actions, including Health and Ecology which said they has a "two-person verification and sign-off process to ensure all hard drives are removed from computers prior to the computers leaving department control.'' The Department of Transportation bought shredder equipment to destroy all of its hard drives.
Cockrill said that after the audit his agency has taken steps to ensure that no computers from state agencies are sold as surplus with hard drives that have not been through the centralized wiping operation at Airway Heights.
But cities and counties that sell equipment through the state's warehouse are not under his control, Cockrill said. He expressed hope that local governments take heed of the audit findings.
Kelley said agencies have been selling surplus property for years.
The audit looked at computers but not printers and copiers that can retain large amounts of data.