OLYMPIA – Some state agencies failed to wipe old computers clean of sensitive or personal data before sending them to be sold as surplus, a new state audit says.
Random checks of computers that agencies sent to the state’s surplus warehouse last summer revealed about 9 percent of them had information that was supposed to be removed before clearing them for sale. The information included Social Security numbers, medical or psychiatric histories of clients, and in one case an employee’s tax return forms. On one computer, auditors found a sticky note that had the machine’s sign-in and password, which still worked.
Auditors found flaws in the system, but no signs that personal data protected by law was ever found or used by a buyer.
State Auditor Troy Kelley said Thursday those agencies were notified and their surplus sales of computers were idled during the audit while procedures were changed. He questioned whether the state should continue its practice of selling its obsolete computers.
“If we’re getting very little money, and there’s high risk, I think we have to stop,” Kelley said.
A study is being done on whether the risks outweigh the value of selling surplus computers, said Michael Cockrill, the state’s chief information officer.
“The state has received no reports of any data from PCs being compromised,” he said.
The state disposes of as many as 10,000 older computers a year. Some are sold at a state store with other surplus items and many are donated to public schools under the Computers 4 Kids program started in 2000. State policies call for agencies to remove all files and personal data from computer hard drives before sending them to surplus, but after hearing of problems in other states, Kelley’s office did random checks of computers at the surplus warehouse over a six-week period.
They tested 177 computers and found 11 still had confidential data on them. Extrapolating that same percentage to the 1,215 computers sent to surplus over that period, as many as 109 computers could have had confidential data.
The state agencies involved – the Ecology, Health, Labor and Industries, and Social and Health Services departments – said in the audit response that they have improved procedures to remove sensitive data.
Most of the mistakes made on the 11 computers flagged in the audit were human error, Cockrill said. “Sometimes humans make mistakes.”
Now all hard drives from surplus computers are removed and either shredded or sent through the Computers 4 Kids program. Those hard drives are wiped to U.S. Department of Defense standards by a state corrections employee at Airway Heights Corrections Center, then refurbished by inmates in a prison program. No inmate has access to hard drives or other storage media before they are wiped clean, the Department of Enterprise Services said in the audit report.
Most hard drives go into school computers but some will be returned to be sold at the state surplus store in Tumwater, to be sold with computers or separately, Cockrill said. The state did not release the results of its audit until new procedures were in place to avoid any “extra vulnerability,” he said.