DoD Units Fail to Sanitize Hard Drives Before Shipment

Several military units failed to adequately sanitize hard drives of data, including Social Security numbers of military personnel, before shipping the IT equipment to other organizations, in violation of Department of Defense rules, the DoD inspector general said in a report.

The IG took to task individual units as well as the Defense Reutilization and Marketing Service for failing to implement adequately DoD internal controls that require the sanitization, documentation and full accountability of excess unclassified IT equipment before releasing the equipment to other organizations. "The instances of nonperformance occurred because DoD components did not follow policies, adequately train personnel or develop and implement site-specific procedures to ensure excess unclassified equipment was sanitized and disposed of properly, said the 53-page report, which was issued Sept. 21.

Additionally, the IG said, DoD guidance issued by the assistant secretary of defense for networks and information integration, who also serves as the Defense CIO, and the Navy CIO was out of date and did not cover sanitizing and disposing of new types of information storage devices. As a result, four DoD units could not ensure personally identifiable information or other sensitive departmental information was protected from unauthorized release, and one of the units could not account for an excess unclassified computer.

Specifically, the IG reported, the following pieces of excess unclassified IT equipment contained readable information.

• An electrocardiogram machine waiting to be shipped from the 436th Medical Group at Dover Air Force Base in Delaware to another Air Force component contained the full names and Social Security numbers of three patients. Officials told us that the electrocardiogram machine contained this information because the 436th Medical Group personnel were unaware that some medical equipment, such as electrocardiogram machines, contained hard drives. The 436th Medical Group officials said they had not been properly trained to sanitize all types of excess unclassified IT equipment.


• Five hard drives waiting to be shipped from the Naval Air Warfare Center Aircraft Division, Naval Air Station Patuxent River, Maryland, to a DRMS processing center contained readable information. One computer contained information such as phone numbers, e-mail addresses, instant messaging traffic, pictures, and various system log files. These hard drives contained information because the Naval Air Systems Command and Naval Air Warfare Center Aircraft Division had not adequately trained personnel responsible for sanitizing equipment or developed site-specific policies that clearly defined sanitization and disposal roles and responsibilities. For example, Naval Air Warfare Center Aircraft Division lab personnel had not received formal training on degaussing equipment and, in one instance, used an audio-video degausser - a process to eliminated an unwanted magnetic field - to degauss hard drives.


• Three hard drives waiting to be redistributed from the 50th Space Communications Squadron, Schriever AFB, Colorado, to another Schriever AFB command contained personal user folders or default operating system information. The information remained on the equipment because the 50th Space Communications Squadron had not established and implemented a process ensuring that excess unclassified IT equipment containing more than one hard drive was properly sanitized. Two of the three hard drives that were not properly sanitized were pulled from computers that housed more than one hard drive, and the equipment custodian did not physically verify whether these computers contained more than one hard drive. No explanation was available as to why the third hard drive had not been properly sanitized.


• A hard drive sent from the U.S. Army Garrison West Point, New York, to a Defense Reutilization and Marketing Service processing center contained bytes of random characters. Officials told us that this occurred because the U.S. Army Garrison West Point did not properly train personnel. In addition, U.S. Army Garrison West Point did not follow proper procedures by performing the required verification of sanitized excess unclassified IT equipment before sending equipment to a Defense Reutilization and Marketing Service processing center.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

According to the IG, the commander of the 436th Medical Group and the 50th Space Communications Squadron did not provide comments on the draft report issued on June. The IG requested comments from them on the final report to be issued in a month. Management comments the IG received were partially responsive, and the auditors asked for further clarification.