DoD Units Fail to Sanitize Hard Drives Before Shipment

IG Report: Social Security numbers, other data exposed Several military units failed to adequately sanitize hard drives of data, including Social Security numbers of military personnel, before shipping the IT equipment to other organizations, in violation of Department of Defense rules, the DoD inspector general said in a report.

The IG took to task individual units as well as the Defense Reutilization and Marketing Service for failing to implement adequately DoD internal controls that require the sanitization, documentation and full accountability of excess unclassified IT equipment before releasing the equipment to other organizations. "The instances of nonperformance occurred because DoD components did not follow policies, adequately train personnel or develop and implement site-specific procedures to ensure excess unclassified equipment was sanitized and disposed of properly, said the 53-page report, which was issued Sept. 21.

Additionally, the IG said, DoD guidance issued by the assistant secretary of defense for networks and information integration, who also serves as the Defense CIO, and the Navy CIO was out of date and did not cover sanitizing and disposing of new types of information storage devices. As a result, four DoD units could not ensure personally identifiable information or other sensitive departmental information was protected from unauthorized release, and one of the units could not account for an excess unclassified computer.

Specifically, the IG reported, the following pieces of excess unclassified IT equipment contained readable information.

  • An electrocardiogram machine waiting to be shipped from the 436th Medical Group at Dover Air Force Base in Delaware to another Air Force component contained the full names and Social Security numbers of three patients. Officials told us that the electrocardiogram machine contained this information because the 436th Medical Group personnel were unaware that some medical equipment, such as electrocardiogram machines, contained hard drives. The 436th Medical Group officials said they had not been properly trained to sanitize all types of excess unclassified IT equipment.

  • Five hard drives waiting to be shipped from the Naval Air Warfare Center Aircraft Division, Naval Air Station Patuxent River, Maryland, to a DRMS processing center contained readable information. One computer contained information such as phone numbers, e-mail addresses, instant messaging traffic, pictures, and various system log files. These hard drives contained information because the Naval Air Systems Command and Naval Air Warfare Center Aircraft Division had not adequately trained personnel responsible for sanitizing equipment or developed site-specific policies that clearly defined sanitization and disposal roles and responsibilities. For example, Naval Air Warfare Center Aircraft Division lab personnel had not received formal training on degaussing equipment and, in one instance, used an audio-video degausser - a process to eliminated an unwanted magnetic field - to degauss hard drives.

  • Three hard drives waiting to be redistributed from the 50th Space Communications Squadron, Schriever AFB, Colorado, to another Schriever AFB command contained personal user folders or default operating system information. The information remained on the equipment because the 50th Space Communications Squadron had not established and implemented a process ensuring that excess unclassified IT equipment containing more than one hard drive was properly sanitized. Two of the three hard drives that were not properly sanitized were pulled from computers that housed more than one hard drive, and the equipment custodian did not physically verify whether these computers contained more than one hard drive. No explanation was available as to why the third hard drive had not been properly sanitized.

  • A hard drive sent from the U.S. Army Garrison West Point, New York, to a Defense Reutilization and Marketing Service processing center contained bytes of random characters. Officials told us that this occurred because the U.S. Army Garrison West Point did not properly train personnel. In addition, U.S. Army Garrison West Point did not follow proper procedures by performing the required verification of sanitized excess unclassified IT equipment before sending equipment to a Defense Reutilization and Marketing Service processing center.

According to the IG, the commander of the 436th Medical Group and the 50th Space Communications Squadron did not provide comments on the draft report issued on June. The IG requested comments from them on the final report to be issued in a month. Management comments the IG received were partially responsive, and the auditors asked for further clarification.

The IG recommended that the:

  • Defense CIO and the deputy chief of naval operations for communications networks update current sanitization and disposal policies to ensure they address current technology issues;

  • Navy CIO establish and implement a clear, detailed policy for sanitizing and disposing of excess IT equipment including electronic storage devices; and

  • DoD units sanitize and account for excess unclassified IT equipment in accordance with applicable laws and regulations.

IG auditors visited six Defense units, nine Defense Reutilization and Marketing Service processing centers and two contractors and selected 543 of 4,105 pieces of excess unclassified equipment to review.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.