Four agencies within the Washington State government were set to sell computers that hosted confidential data, including Social Security numbers, tax information and – in one case – a psychiatric evaluation.
The sale was found during a six-week audit of surplus computers, which the state sells about 10,000 of each year.
Troy Kelley, the state’s auditor, looked at a sample of 177 computers slated for sale last summer and found that 11 had information that would have been unlawful to disclose.
The computers were immediately quarantined in the state’s Department of Enterprise Services’ warehouse once the failures to erase the data were discovered.
The sale of surplus computers brought the state slightly more than $400,000 last year, a state spokeswoman told The News Tribune, leading Kelley to wonder if the annual sales were worth the risk.
“If we are getting very little money for these computers and we have high risk, then I think we have to stop,” he said.
Auditors said it was not hard to find some of the data. Overall, auditors found sensitive information on five different computers from the Department of Social and Health Services, three at Labor and Industries, two at Ecology and one at the Department of Health.
There is no evidence the personal data left on these machines in the past has been misused by the buyers over the years.
In most cases, the state’s departments had data removal policies and software to clean the computers of all data, but Michael Cockrill, the state’s chief information officer, told the paper staffers were not following the policies in place or had used the software but failed to verify the computer hard drives had been erased.
The audit did single out two agencies – Employment Security and Enterprise Services – for following best practices set by the National Institute of Standards and Technology to verify data removal from hard drives.
Auditors said their findings mirrored what other states have found when analyzing surplus computer sales.
Cockrill said his agency is reviewing options going forward and that it is possible the state would completely stop sales of computers that have old hard drives. He said in a press conference “mistakes were made,” but did not pinpoint who was to blame for the lapse.
The audit looked at computers, but not printers and copiers that can retain large amounts of data.