Washington state failed to erase Social Security numbers, medical records, tax forms and other confidential information from some surplus computers it has sold or given away, according to a state audit released Thursday.
It’s unclear how many computers went out the door with personal information. Auditors found private data on 11 computers set to be given away or sold last summer. Based on that discovery and a statistical analysis, they estimated that 9 percent of surplus computers contained sensitive information.
The state gets rid of roughly 10,000 computers each year through the surplus program, which has existed since the 1970s and nets about $4 million annually for agencies, according to a program spokeswoman.
The audit found that despite state law requiring computers to be scrubbed before going to surplus, some agency workers either were not following protocol or were being sloppy, leaving private data in places that could be accessed by people with computer knowledge.
Most Read Stories
“With the right knowledge of data retrieval, the confidential information we found could be obtained in a few minutes,” according to the audit report. “Had these computers been sold, the presence of confidential information on their hard drives posed a risk of harm to private individuals and the state.”
Michael Cockrill, the state’s chief information officer, described the audit as “precautionary,” saying there have been no reports of any information being compromised. Cockrill said the state moved to address the problems before the audit’s release. Among other actions, he said the state quarantined the identified computers, halted sales and established new rules.
All surplus computers are now going through an additional secure scrubbing program run by the state Superintendent of Public Instruction, Cockrill said.
Nevertheless, the audit raised questions about technology security at a time of heightened awareness of the issue.
State Auditor Troy Kelley conducted the performance audit to help assess security after seeing similar audits in other states, spokesman Thomas Shapley said.
Overall, auditors examined 177 of about 1,215 computers sent to surplus by 13 Washington state agencies last July and August.
The private data was on computers sent by the departments of Labor & Industries; Ecology; Health; and Social and Health services, according to the audit.
The first three of those agencies had procedures in place to erase data. They told auditors that workers had made mistakes, such as setting aside computers for surplus before they were scrubbed and sending some computers to surplus that would not start on the assumption that they were broken.
Spokespeople for all three agencies said they were not aware of any discipline related to the audit findings. New training was conducted as a result of the audit, they said.
The Department of Social and Health Services (DSHS) was not able to provide auditors with documentation of scrubbing procedures, according to the report. Neither were the departments of Transportation and Parks, or the state Senate.
Six other agencies “did not follow the recommended leading practice of verifying data on hard drives is erased or destroyed” — the departments of Ecology; Health; Labor & Industries; Fish & Wildlife; and Natural Resources, as well as the Office of the Insurance Commissioner, according to the audit.
In addition to the confidential information, auditors discovered dozens of photos of a sexual nature on a computer that had belonged to the state Department of Labor & Industries.
No discipline occurred as a result of that, either, a spokesman said.
Ben Vaught, of the Office of the Chief Information Officer, said many state agencies thanked the auditors for helping them to tighten data-security procedures. He said he hoped that local governments — and private citizens — would take the audit as a reminder to be proactive.
“End-of-life data disposal is often an overlooked part of the overall security process,” Vaught said. “This is a good reminder for all of us.”
Brian M. Rosenthal: 206-464-3195 or firstname.lastname@example.org. On Twitter @brianmrosenthal