By CHRIS GREEN

Harris News Service

TOPEKA -- Lawmakers expressed alarm Wednesday over a legislative report showing that confidential information was left on outdated state computers being released for sale to the public.

The Legislative Division of Post Audit found that several state agencies had failed to adequately remove sensitive data from some machines, including Social Security numbers and password files.

The computers had been turned over to a government office that disposes of excess state property for Topeka-based agencies, but they hadn't been sold.

However, the report stated the state's problems with handling surplus computers posed a significant risk for a costly and embarrassing breach of private data to the public or criminals.

"There were some very troubling revelations in that audit," said Senate Majority Leader Derek Schmidt, R-Independence, who leads the legislative committee that oversees audits.

Gavin Young, a spokesman for the Department of Administration, said the state hasn't received any reports of identity theft resulting from state computers being sold.

He said the agency is considering whether it should try to track down the machines.

As a result of their findings, researchers recommended a stronger state policy on removing data from used computers and better education for state agencies about the issue.

They also warned that the state's security problem could be more widespread because the audit didn't take into account any issues for state government entities based outside Shawnee County, such as state universities.

To conduct the analysis, researchers looked for data on 15 computers that had been transferred to state surplus, six of which had been prepared for sale by that office.

Auditors first tried to obtain the information by turning the computer on and searching it. They also removed the hard drive and read it with another machine and used file retrieval software.

They found that agencies had fully overwritten just five of the computers, while most of the data had been removed from two others. Five of the machines had only been reformatted, which didn't fully remove the data, while nothing had been done to three other computers.

"The results were pretty disturbing," auditor Allan Foster said.

Researchers found that seven of the 15 computers they looked at still contained information that's considered confidential under state or federal law. That includes thousands of Social Security numbers, names of Medicaid beneficiaries and personnel information about state employees.

Password files and other network information that could be valuable to hackers were also on the machines.

Another four computers contained sensitive agency files such as employee accident reports and architectural drawings of state office buildings. One even contained copyrighted music files.

The state Department of Administration temporarily suspended the sale of the computers through state surplus after being notified of the situation.

Auditors reported that the data wasn't properly wiped off because the agencies lacked removal policies, relied on surplus property to remove the data or did a poor job of keeping track of their computers.

The Adjutant General's office, Department of Administration, Kansas Health Policy Authority and the Kansas Sentencing Commission were the agencies whose computers contained confidential or sensitive files that could be recovered.

The report said the best way to remove data is to physically destroy the hard drive, demagnetize the disk with a powerful magnet or using specialized software to overwrite the hard drive multiple times.

In written responses to the report, those agencies acknowledged the problem and outlined steps that they've taken to prevent data from being left on computers in the future, including using specialized software.

But the study's results prompted Rep. Virgil Peck, R-Tyro, to question whether the state received enough money from the sale of antiquated computers to justify the potential security risk.

State surplus disposed of about 600 computers on behalf of state agencies from between April 2007 and April 2008. The machines listed as being for sale on the surplus Web site Wednesday afternoon were priced at $5 and up.

"I have a discomfort level that we're going to be able to get this remedied forever and ever," Peck said.

nLegislative Division of Post Audit Report: www.kslegislature.org/postaudit/audits_cc/08cc03a.pdf

Join the Discussion:

Salina.com doesn't necessarily condone the comments here. Read our full online terms of service policy.

John Franks says....
An excellent and timely article: It's amazing that breaches and thefts keep happening. Considering “what goes around, comes around”, I wonder how soon any one of us has personal experience with identity theft? It's also interesting that reactive measures don't concentrate on the obvious solution – a proactive treatment and training of people, and reinforcements to their corresponding security awareness. In those regards, there is a defined eCulture called "The Business-Technology Weave" that helps to influence employee behaviour as regards security, use and integrity of data - as well as protection of hard assets (such as laptops). This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: www.david-scott.net . We use his book at work - stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it. It’s making a huge difference.
6/20/2008

---

Doctor says....
Just think how much damage someone could do if or when the govt gets control of all medical care and then sells surplus computers with your medical information stored on them.
6/19/2008

---

Post a comment
Your best chance of getting your comment posted:

• No profanity
• Be civil
• Everyone is innocent until proven guilty.

Comment:

Poster:

Enter text seen above:

Read our full use policy.