The New Jersey Office of the State Comptroller (OSC) reports that various state agencies left confidential information on computers that were slated to be sold at a public auction. The OSC says it obtained the equipment prior to the auction, preventing unlawful data disclosure.
According to OSC, the computers were shrink-wrapped on pallets at the state’s surplus property warehouse and ready to be sold at public auction until its auditors intervened.
The computers had been deemed surplus and sent to the warehouse for redistribution. State guidelines dictate that state agencies must remove all data from a computer’s hard drive before sending it to the warehouse. Other state agencies have 30 days to claim the equipment from the warehouse before it is disposed of through public auction or donation.
Despite the requirements, OSC auditors found data on 79 percent of the computers sampled at the warehouse and confidential or personal information on nearly one-third of the computers.
“At a time when identity theft is all too common, the state must take better precautions so it doesn’t end up auctioning off taxpayers’ Social Security numbers and health records to the highest bidder,” says New Jersey Comptroller Matthew Boxer.
According to OSC, employees from one state agency told auditors they had the necessary equipment to purge data from the computers but the staff was reluctant to use the equipment because of the noise and magnetic fields generated.
The data found on the computers recovered at the state warehouse by OSC information technology auditors included a list of state-supervised children, along with their dates of birth and Medicaid numbers; numerous files belonging to a state judge, including the judge’s life insurance trust agreement, tax returns, mortgage information and Social Security number, as well as a confidential fax to the Lawyer’s Assistance Program concerning an attorney’s “personal emotional problems” and non-public memoranda by the judge concerning potential impropriety by two attorneys; Social Security numbers of state employees and members of the public; files related to child abuse cases, including a child fatality report, child immunization records and a child health evaluation; a list of vendor payments referencing names of children and including contact information for children placed outside of the parental home; personnel reviews, computer sign-on passwords and e-mails of state employees; and internal memoranda from a state agency and personal contact information for multiple members of the then-governor’s cabinet.
Also found at the warehouse were four computers that were packaged to be sold at auction as scrap, even though they were still under vendor warranty. OSC says its inquiries revealed that the computers had been transferred to the warehouse in error.
According to the OSC audit, employees of the state warehouse were not complying with requirements concerning the redistribution of the computer equipment they received. Auditors say they observed local government representatives picking up equipment in the warehouse without other local governments, state agencies or nonprofits having received equal access to or notice of that equipment as required by New Jersey rules. For example, during a 15-month period, more than 900 cellular phones sent to the warehouse were set aside for one particular nonprofit, according to OSC.
After a meeting with OSC staff in which preliminary findings of the audit were discussed, the state modified its data security policies and procedures. For example, the state has issued an interim policy requiring agencies to remove all hard drives from computers sent for redistribution while the Department of the Treasury develops a permanent policy for handling such computers.
In total, the audit makes 10 recommendations to state officials for improving procedures concerning surplus computer equipment.
At AccuShred, we firmly believe that the physical destruction of hard drives and other electronic media is the ONLY way to prevent your sensitive information from ending up in the wrong hands. While wiping the drive is a good start to eliminating data off of a hard drive, it is not 100 percent effective. If you have hard drives that you would like physically destroyed, please send us an email to email@example.com or call us at 800-747-3341. We will send you a notarized Certificate of Destruction with a complete list of serial numbers after the hard drives have been destroyed.