Published: Thursday, March 10, 2011
By Salvador Rizzo/Statehouse Bureau
TRENTON - Thousands of state computers auctioned off to the public may have been sold with confidential data — from Social Security numbers to names and addresses of children under foster care — still on their hard drives, state officials disclosed Wednesday.
A report released by the state comptroller describes how four agencies also left child-abuse reports, tax returns and memos between government officials on discarded computers at the state’s surplus warehouse in Hamilton that were about to be auctioned.
"To say that the system was dysfunctional is putting in mildly," said State Comptroller Matthew Boxer. "The record-keeping that we found at the warehouse was in some instances simply nonexistent and where it did exist generally inadequate, making any tracing of auctioned equipment either exceedingly difficult or impossible."
The auctions were halted when Boxer stepped in last July and reviewed procedures at the warehouse and the state immediately ordered that no more hard drives be sold.
But for equipment sold in the past — much of it distributed worldwide — it may be too late. Boxer said it is possible the state auctioned off computers with sensitive data over the years. "In terms of what happened before our auditors went out, there is obviously an issue of concern," he said.
The government has been selling its used computers since 1995, according to Treasury spokesman Andy Pratt, whose department manages the warehouse. The state sold 11,000 computers in the last two fiscal years, he said.
"Because the market is not so hot in the U.S. for used computer equipment, a lot of it ends up going overseas," Pratt said.
He added, "I think everybody doesn’t like this and they’re concerned about any security breach, period."
From January to March last year, the comptroller’s auditors inspected 58 hard drives at the warehouse. They said 79 percent of those were not wiped clean before agencies handed them off. About one-third still had sensitive information, which also included a state judge’s tax returns, mortgage information and his life insurance trust agreement.
Had the auctions gone through, that data could have ended up in unauthorized hands — a violation of federal and state laws. Paul Loriquet, a spokesman for Attorney General Paula Dow, declined to say whether the state would take action in response to the potential security breach. He said the comptroller’s office had not yet referred its report to them.
The auditors described the system for disposing of computers as flawed in almost every way: Agencies repeatedly ignored the guidelines when they sent surplus equipment to the warehouse. Warehouse employees, in turn, kept incomplete records of equipment coming in. Some agencies and nonprofits collected disproportionate amounts of items.
The comptroller made 10 recommendations for reducing the security risks and improving the surplus system overall, which in large part reiterates the guidelines that were already in place. The Treasury Department has agreed with most of them and said reform efforts were underway.
"We’re going to have more codified and more detailed procedures as needed and as we go along," Pratt said. "But I think the central part of this is the privacy concerns. We have addressed that in the most complete way that we possibly can."
Pete McAleer, a spokesman for the comptroller, said the audit covered the Department of Children and Families, the Department of Health, the Office of Administrative Law and the state’s judiciary branch. He said the Department of Children and Families had been notified in 2009 by Treasury that it needed to wipe its hard drives, but the problem persisted.
The audit was launched after a probe by state law enforcement officials into alleged illegal activity by warehouse employees in 2007. All five of the employees were charged with theft and official misconduct, and four have pleaded guilty.
Jim Kegley of U.S. Micro Corporation, which disposes of computer equipment for state and federal government agencies, said New Jersey was facing "a huge exposure" in terms of security.
He said that when Blue Cross of Tennessee lost hard drives, for example, it spent $7 million "just on the forensics to see what kind of data was on there."
"They’ve since identified 550,000 Blue Cross users involved," Kegley said. "Just off of 57 hard drives."
U.S. Micro Corporation
Since 1995, U.S. Micro Corporation has been a major innovator and leader in enterprise IT data security. Headquartered in Las Vegas, Nev., U.S. Micro serves Fortune 500 companies that demand the highest levels of data security and environmental stewardship. Committed to a 100 percent no landfill policy, the company refurbishes and sells approximately 90 percent of the equipment it processes; the remaining 10 percent is EPA-compliantly recycled at its Next-Generation IT Demanufacturing and Distribution Center in Las Vegas. U.S. Micro is R2, G.R.A.D.E. (Green Recycling Asset Disposal for the Enterprise), ISO 14001:2004 and Payment Card Industry (PCI) certified. It is also a Microsoft Authorized Refurbisher and holds the American Institute of Certified Public Accountants’ (AICPA) Service Organization Controls (SOC) 2, Type II designation.