Archive for Wednesday, June 18, 2008

SSNs likely on sold computers

A Topeka woman says she's lost trust in the state after old state computers with confidential information on them were up for sale to the public.

June 18, 2008, 12:39 p.m. Updated June 19, 2008, 12:00 a.m.


Related document

Computer Security Audit Report ( .PDF )

— Computers sent to the state Surplus Property agency for sale to the general public still contained confidential information, including thousands of names and Social Security numbers, according to an audit released Wednesday.

The discovery by the Legislative Division of Post Audit brought a temporary halt last month to the sale of used state computers, and promises from the heads of several large state agencies to do a better job. The state also is considering whether to hunt down old computers that were sold.

Lawmakers expressed dismay over the findings and worried about the potential for identity theft and computer hacking.

"After reading this report, I had to take a few nitro glycerin tablets and go lay down," said state Rep. Virgil Peck Jr., R-Tyro.

Lawmakers had asked Legislative Post Audit to find out if data was properly disposed of from state computers that were being sold as surplus property.

Auditor Allan Foster checked 15 computers at the state Surplus Property agency. Data was still on 10 of the computers, and seven of those contained confidential documents, including thousands of Social Security numbers, he said.

"The results were pretty disturbing," Foster said.

For the Legislative Post Audit Committee, Foster demonstrated how he was able to access confidential files by using readily available $60 software.

He found thousands of names and Social Security numbers of Medicaid beneficiaries, personnel information on state employees, password files that could be misused by computer hackers, employee accident reports, an investigation into alleged improprieties by a grant recipient, architectural drawings of a state office building, and copyrighted music files.

If those names and Social Security numbers had gotten into the public, he said, it "would have cost the state a lot of money" to provide those people with help in making sure identity thieves didn't use the information to get credit cards in their names.

He said some state agencies had no policies for removing data from computers taken out of service, while others thought Surplus Property was responsible for wiping out the hard drives. Some computers had been reformatted, but that didn't remove all the data.

In response to the audit, several state agencies said they would immediately tighten up policies and procedures to take care of the problem.

But Foster noted the problem could be more widespread. Surplus Property disposed of approximately 600 computers on behalf of state agencies in the year ending April 30. And the audit looked only at state agencies in Topeka, and didn't take into account state offices across Kansas and how they dispose of computers.

Gavin Young, a spokesman for the Department of Administration, said the agency was considering whether to try to track down used state computers to determine if their data was deleted. But, he said, the department has received no reports of identity theft based on data contained on computers from state agencies.

"We don't have a single occurrence of this situation ever happening," he said.


Tristan Moody 9 years, 11 months ago

Why don't they simply remove and destroy the hard drives? New ones are cheap, and physical destruction of the disk platters is the surest and easiest method of ensuring that confidential data does not fall into the wrong hands.If you want a software route, boot up a linux livecd, open a terminal and type [user@localhost]$ dd if=/dev/urandom of=/dev/sdaor whichever device file is appropriate for the hard drive. Repeat a couple times if you want to be really sure.

jayhawkbarrister 9 years, 11 months ago

Gosh, I feel so much safer, now that that issue has been audited and the sale of those computers has been stopped, . . . . temporarily!

just_another_bozo_on_this_bus 9 years, 11 months ago

Of course, whoever is responsible should be held accountable, but let's not pretend that similar problems don't happen all the time in the private sector. Humans are humans, and will make mistakes whether they work for the government or someone else.My concern at this point is why this announcement was made before tracking down those computers. Now, anyone who has one has been alerted that there may be such sensitive data on the computers they have.BTW, hard drives can be completely wiped clean, although it's a more involved process than the average user would generally employ.

Phillbert 9 years, 11 months ago

The legislators are probably more worried about people finding out their personal Internet browsing habits.

monkeyspunk 9 years, 11 months ago

Actually Bozo, according to SOXA, if a private sector IT person were to do this, he would be canned, and there is an excellent chance that the CIO or IT Director would be given a pink slip as well. Then there would be eyes turning toward the CEO of the company regarding legal charges. Thanks to Enron and SOXA, IT security (or lack of) can get an executive fired and put in jail. One of the HUGE problems with the state right now is that each department is its own little "island." They have their own administration and their own IT departments and networks. This leads to a wide variety of systems between departments and I would bet a fairly large amount of waste and security issues. I would bet good money that this breach will result in a HIPAA investigation as it is very likely that if there were SSNs on them, there was medical information as well. SWGlassPit, what a clunky way to go about that! There is a program called DBAN. It has a function that is DoD approved and does 7 wipes of the hard drive. It has even more thorough settings that can do up to 9 wipes. More than enough. DBAN can be loaded on to a floppy or made into a bootable CD.

bearded_gnome 9 years, 11 months ago

He said some state agencies had no policies for removing data from computers taken out of service, while others thought Surplus Property was responsiblefor wiping out the hard drives. Some computers had been reformatted, but that didn't remove all the data.ya think?!? duh! this is the most amazing news of the billious administration yet! OMG. can we see criminal charges? seems really the only secure way to prevent the data from going with the computer is: take out the hard drive and give it a good crunch! this audit only applied to topeka offices? so, lawrence is, of course, more secure with its SRS office, right? sure. riiiiiiiiight. *** "every happening ..." edit, anyone?

jafs 9 years, 11 months ago

Problems with incompetence seem more prevalent in the governmental sector than the private one, although not much more.Part of the problem is that the government is not competing actively with other organizations, the way private businesses do (or should), and part of it is the bureaucratic culture.

Fred Whitehead Jr. 9 years, 11 months ago

And just who the hell is responsible for this error by state IT people who, if they have a head on straight, ought to know that data on ANY computer, if erased, is easily recovered with the right software. If you think that when you delete a file, it is gone, you are wrong. Deleted files remain on the computer, minus the first letter of the file name. The rest is there for those savvy enough to find it, read, most all hackers and data theft experts. This is not uncommon knowledge to persons who are supposed to be competant working with computers. Someone is asleep at the switch and this needs to be fixed. The knowledge of lack of security with today's data systems is necessary to be trusted with secure data.

Janet Lowther 9 years, 11 months ago

Last year I bought an old laptop from state surplus.It had been re-formatted and had a fresh installation of Windows 2000, so as far as most users are concerned the data was gone, and unless you went looking for recoverable data, it may as well have been gone. Indeed, even after being reformatted ext3 and having Linux installed, there may still be recoverable state data on the drive, but I'm just not nosy enough to bother looking.However, I do have a program which will scrub MY data off of it's drive to DOD standards and will use it before I pass it on. On the other hand, that laptop is old enough that I might just use it for target practice. . . A 140 grain bullet at something over mach 2 aught to do the job on that little hard drive.

Fred Whitehead Jr. 9 years, 11 months ago

Sigmund, I KNOW of at least two city employees who committed violations of Federal law and have proof it. My complaint was returned as "unfounded" and the city commission ignored my repeated requests that they examine my evidence. I KNOW about incompetance and CYA in the city government and the gutless and spineless city commission who bury their heads in the sand.

just_another_bozo_on_this_bus 9 years, 11 months ago

I have to disagree, jafs. My interactions with both governments and corporations show that people are people, and the larger the organization, the more likely that the left hand doesn't know what the right hand is doing.

bearded_gnome 9 years, 11 months ago

oh no hawk!you've gone and done it now!uncool will be on here pimping that website, posting post after post after post after rotten post!!!!!and, it'll be all your fault!sledgehammer, not bad idea though for the hd's. either that, or we could create a new tv game show:"hack that old state computer for riches!" better than dialing for dollars.

tir 9 years, 11 months ago

"Lawmakers expressed dismay over the findings and worried about the potential for identity theft and computer hacking."Good--I hope they are really worried--they should be. Maybe since some of their own confidential information could have been on some of those surplus computers that got sold they will be worried enough to actually do something about it.Absolutely the state should be tracking down those sold computers, determining who among us might be at risk for ID theft, warning them, and providing credit monitoring for them.Just because Gavin Young doesn't know of any cases where ID theft has resulted from the data on sold surplus computers doesn't mean that it hasn't happened or that it won't happen. What planet is he living on?

pczukor 9 years, 11 months ago

The last sentence is the prototypical response of lazy Customer Service people and clueless government spokespeople who wish to bury their heads in the sand rather than look into a complaint which may be serious, namely:"No one else has ever complained about this before."Sub-text: "Therefore, your claim has no merit. Get lost. Next!!"I wonder what the guy at Martin-Thiokol was told when he expressed his reservations to superiors about the cold-weather inelasticity of the rubber O-rings in the solid rocket booster tank, prior to the launch of the Challenger in 1986.I nominate Gavin Young for the Challenger Award, presented annually to the dedicated civil servant who, more than any other person, best illustrates an active refusal to understand a situation and follow its consequences to their logical conclusion, and most fully captures the spirit of the Challenger team in refusing to consider warnings concerning possible incidents that have never occurred before.

dirkleisure 9 years, 11 months ago

If you read the audit, the single computer containing SSNs came from the Kansas Health Policy Authority. While the information on other computers isn't readily available to the public, it is likely available via an open records request.I'm not sure what would be accomplished by tracking down 600 computers sold by Surplus Property. A more appropriate course of action would be to review the records of disposal from those agencies that regularly deal with SSNs and other identifying information, especially since only a portion of disposed computers are sold through Surplus Property.

OldEnuf2BYurDad 9 years, 11 months ago

"The state also is considering whether to hunt down old computers that were sold."Is this a joke? This is the only ethically correct path. Bunch of buttholes.

MattressMan 9 years, 11 months ago

Morons at state level, what a surprise.

Sigmund 9 years, 11 months ago

"The discovery by the Legislative Division of Post Audit brought a temporary halt last month to the sale of used state computers, and promises from the heads of several large state agencies to do a better job." (Translation: Now that the cows are out we promise to close the barn doors in the future. Really, trust us!)"The state also is considering whether to hunt down old computers that were sold." (Translation: Here Bessie, where have you gone you old moo cow you?)Legislators that don't now the details of the gun laws they pass and now administrators and IT staffs who are morons or too lazy to actually do their jobs. If this breach of privacy had happened at a private company I am sure they would have been sued into compliance by consumers and prosecuted by Federal and State authorities for a breach of a duty to protect consumers privacy. So when someone uses this information to steal your identity, who you going to sue?Did you ever hear of a State of Kansas or City of Lawrence employee who lost their job for incompetence? Not likely. I am sure some porker somewhere will insist we need to pay more in taxes to hire consultants who will recommend a pay raise so they can add additional and I am sure the voters will approve it.

monkeyspunk 9 years, 11 months ago

10 out of 15 computers had recoverable data on them.600 were sold. Depending on the sampling done by the auditors it is very feasible that 400 computers left the state surplus sale with recoverable data on them. How can people NOT get fired over this? I deal with the retardation that is the state technology structure on nearly a daily basis, this fiasco is a direct result of the State's IT organization. Many of the State's departments have Chief Information Technology Officers. If a computer came from a department that had "no policies" or thought the surplus would do it, then the CITO should be fired. If it happened in an agency where policies weren't followed, then reprimands should be handed down, from the CITO down to the tech responsible.This wouldn't fly in the corporate world, it shouldn't in Topeka.

Commenting has been disabled for this item.