Computer Security Audit Report ( .PDF )
Topeka Computers sent to the state Surplus Property agency for sale to the general public still contained confidential information, including thousands of names and Social Security numbers, according to an audit released Wednesday.
The discovery by the Legislative Division of Post Audit brought a temporary halt last month to the sale of used state computers, and promises from the heads of several large state agencies to do a better job. The state also is considering whether to hunt down old computers that were sold.
Lawmakers expressed dismay over the findings and worried about the potential for identity theft and computer hacking.
"After reading this report, I had to take a few nitro glycerin tablets and go lay down," said state Rep. Virgil Peck Jr., R-Tyro.
Lawmakers had asked Legislative Post Audit to find out if data was properly disposed of from state computers that were being sold as surplus property.
Auditor Allan Foster checked 15 computers at the state Surplus Property agency. Data was still on 10 of the computers, and seven of those contained confidential documents, including thousands of Social Security numbers, he said.
"The results were pretty disturbing," Foster said.
For the Legislative Post Audit Committee, Foster demonstrated how he was able to access confidential files by using readily available $60 software.
He found thousands of names and Social Security numbers of Medicaid beneficiaries, personnel information on state employees, password files that could be misused by computer hackers, employee accident reports, an investigation into alleged improprieties by a grant recipient, architectural drawings of a state office building, and copyrighted music files.
If those names and Social Security numbers had gotten into the public, he said, it "would have cost the state a lot of money" to provide those people with help in making sure identity thieves didn't use the information to get credit cards in their names.
He said some state agencies had no policies for removing data from computers taken out of service, while others thought Surplus Property was responsible for wiping out the hard drives. Some computers had been reformatted, but that didn't remove all the data.
In response to the audit, several state agencies said they would immediately tighten up policies and procedures to take care of the problem.
But Foster noted the problem could be more widespread. Surplus Property disposed of approximately 600 computers on behalf of state agencies in the year ending April 30. And the audit looked only at state agencies in Topeka, and didn't take into account state offices across Kansas and how they dispose of computers.
Gavin Young, a spokesman for the Department of Administration, said the agency was considering whether to try to track down used state computers to determine if their data was deleted. But, he said, the department has received no reports of identity theft based on data contained on computers from state agencies.
"We don't have a single occurrence of this situation ever happening," he said.