Sensitive Data Remains on Disposed PCs

Many of Disposed Computers Repackaged for Public Auctions
Sensitive Data Remains on Disposed PCs
Multiple state agencies in New Jersey failed to remove data from computers and mobile devices when they were disposed, failing to comply with state requirements to wipe clean hard drives.

According to an audit issued last week by the New Jersey Office of State Comptroller, auditors found personal and confidential data on 79 percent of hard drives it tested, including completed tax returns; Social Security numbers; names, addresses and phone numbers of children placed outside of the parental home; a list of state computer sign-on passwords; and child abuse documentation including the names and addresses of the children. Auditors said many of these items were found on computers packaged for public auction.

"The availability of such confidential personal information and sensitive business information to third parties through the disposal of state-owned computer equipment presents security risks to the affected individuals and state agencies," the comptroller said. "Further, the release of such information to unauthorized parties would violate various federal and state statutes."

Contrary to state requirements, the comptroller report said, agencies sent to the warehouse shipments of computer equipment with no packing lists, no indication of the equipment's working order and no certification that the equipment's data had been removed. The shipments were accepted by the warehouse.

A letter from the state Division of Purchase and Property within New Jersey's Treasury Department said it generally agreed with the audit findings, and is working with the state Office of Information Technology to revise procedures to rectify the problem. Still, Purpose and Property officials said the division itself didn't have resources to assure compliance. "We concur with the intent of this recommendation, but must point out that the agencies who own data must continue to bear the ultimate responsibility for the security of that data and for cleansing data storage media according to security classifications of the data it contains," the letter said.

About the Author

Around the Network