Security slip

Lax state policies have compromised thousands of Social Security numbers and other personal information.

To those who carefully guard their Social Security numbers and other information that could allow someone to steal their financial identity, the news this week out of Topeka was stunning.

An investigation conducted by the Kansas Legislature’s Division of Post Audit found that many, perhaps hundreds of, surplus state computers had been sold to the general public while they still contained confidential information stored by the original users. That information included thousands of names and Social Security numbers as well as personal information on state employees and password accounts that would come in handy for anyone wanting to hack into the state’s computers.

Out of 15 surplus computers tested by the auditors, 10 still contained some data; seven of those 10 held confidential information that the auditors said could be easily accessed using software that is readily available for about $60.

In backtracking this discovery, the auditors found that many state agencies had no policies for removing data from computers that were being discarded. Some thought the state’s Surplus Property agency was responsible for clearing the hard drives, but that isn’t the case.

It isn’t known how many data-containing computers were sold, but the state reportedly disposed of about 600 computers in the year ending April 30. Because they haven’t received any reports linking identity theft to surplus state computers, state officials seem to be adopting the attitude of “no harm, no foul,” but who knows what information now is floating around waiting to be plucked off and used for nefarious purposes?

State officials are considering whether to try to track down the computers that were purchased, but that would be next to impossible. It seems that all state residents can do is watch their bank and credit card accounts and keep their fingers crossed.

State agencies said they would immediately tighten up their procedures for disposing of computers. That’s good, but it could be coming too late. Considering how little money the state probably makes from selling outdated computers as surplus, it might make more sense, both financially and for security reasons, to simply destroy the computers when they are taken out of service.

The news about the computers is another example of the Legislative Division of Post Audit more than earning its keep for state taxpayers. It’s good that legislators decided to ask the questions that led to the computer audit; it’s just too bad they didn’t start asking a little sooner.