OLYMPIA -- Some state agencies failed to wipe old computers clean of sensitive or personal data before sending them to be sold as surplus, a new state audit says.
Random checks of computers that agencies sent to the state's surplus warehouse last summer revealed about 9 percent of them had information that was supposed be be removed before clearing them for sale. The information included Social Security numbers, medical or psychiatric histories of clients, and in one case an employee's tax return forms.
On one computer, auditors found a Post-it note that had the machine's sign-in and password, which still worked.
Auditors found flaws in the system, but no sign personal data that's protected by law was ever compromised.
State Auditor Troy Kelley said today those agencies were notified and their surplus sales of computers were frozen during the audit while procedures were changed, and there's no evidence that any private information had been compromised. He questioned whether the state should continue its practice of selling its obsolete computers.
"If we're getting very little money, and there's high risk, I think we have to stop," Kelley said.
A study is being done to answer whether the risks outweigh the value of selling surplus computers, Michael Cockrill, the state's chief information officer, said.
"The state has received no reports of any data from PCs being compromised," he said. . .
To read the rest of this item, or to comment, continue inside the blog.
The state disposes of as many as 10,000 computers a year. Some are sold at a state store with other surplus items and many are donated to public schools under the Computers 4 Kids program started in 2000. State policies call for agencies to remove all files and personal data from the computer hard drives before sending them to surplus, but after hearing of problems in other states, Kelley's office did random checks of computers at the surplus warehouse over a six-week period.
They tested 177 computers and found 11 still had confidential data on them. Extrapolating that same percentage to the 1,215 computers sent to surplus over that period, as many as 109 computers could have had confidential data.
The state agencies involved -- the Ecology, Health , Labor and Industries, and Social and Health Services departments -- said in the audit response that they have improved procedures to ensure that sensitive data is removed. Cockrill said the state Information Office had minimum standards that were thought to be adequate, but after the audit those were improved to add additional checks.
Most of the mistakes made on the 11 computers flagged in the audit were human error, Cockrill said. "Sometimes humans make mistakes."
Now all computer hard drives from surplus computers are either shredded or sent through the Computers 4 Kids program that sends computers to public schools for free or at large discounts. Those hard drives are wiped to U.S. Department of Defense standards by a state corrections employee at Airway Heights correctional facility and refurbished by inmates in a prison program. No inmate has access to hard drives or other storage media before they are wiped clean, the DES said in the audit report.
Most hard drives go into school computers but some will be returned to be sold at the state surplus store in Tumwater, to be sold with computers or separately, Cockrill said.
The state did not release the results of its audit until new procedures were in place to avoid any "extra vulnerability", he said.