New Jersey state agencies left confidential data such as child abuse reports and Social Security numbers on discarded computers being prepared for sale, the state comptroller said.
numbers and confidential data about child abuse cases were among the data found
on computers the state of New Jersey planned to sell, auditors found.
examined a sample of computers stored in a warehouse
and found 79 percent still contained information, according to an audit report
released March 9. Nearly a third contained some kind of personal identifying information,
such as names and Social Security numbers, the report said.
Under state guidelines
agencies in New Jersey must delete all information stored on a computer before
redistributing, reselling or disposing of it. State and federal law prohibits releasing
confidential data to unauthorized persons.
"At a time when identity
theft is all too common, the state must take better precautions so it doesn't
end up auctioning off taxpayers' Social Security numbers and health records to the
highest bidder," State Comptroller Matthew Boxer said.
The audit of desktops and
laptops awaiting an auction was conducted through several visits from July 2008
to December 2010. Auditors found information on 48 of 56 hard disk drives it
tested during the audit. The comptroller's staff found data on the tested
machines from four state agencies, including one that had been cited in 2009
for discarding computers without properly scrubbing data from the hard drive.
The agencies were not named in the report.
The information included a
state judge's tax returns, mortgage documents and life insurance trust
agreements. Some computers contained personnel reviews, Social Security numbers
belonging to New Jersey taxpayers and state employees and personal contact information
for former Governor Jon Corzine's cabinet. A computer contained a list of state
employees' e-mail addresses, computer passwords and internal staff memos.
Auditors also found 230
files related to state investigative case screenings and child abuse reports,
including fatality reports. Many of these files contained names, phone numbers
and addresses of children involved. Child immunization records and health
evaluation reports were also included in this set of documents
"The availability of such confidential
personal information and sensitive business information to third parties
through the disposal of state-owned computer equipment presents security risks
to the affected individuals and state agencies," the audit said.
Under state rules, other state
agencies and local government groups can claim discarded computers within 30
days before they are sold or donated. Even so, auditors found over 900 cell
phones earmarked for a non-profit organization in the surplus warehouse that
had not been made available to other agencies. Four of the computers in the
warehouse that were packed to be sold as scrap were still under warranty, the
This kind of potential data
breach is not unusual, unfortunately. A global survey of more than 1,500 businesses
conducted by British consultancy Kroll Ontrack found that 75 percent did not
delete data securely. An audit of computers and other equipment
being sold by NASA
also failed to properly remove confidential information
from the disk drives.
After the comptroller's
office informed the Division Of Purchase And Property of the audit findings,
the DPP temporarily suspended auction sales of discarded computers. The DPP also
informed agencies of the problems and implemented modified policies and
procedures and decided that the warehouses will no longer accept any kind of
storage media. Sanitizing and deleting data storage devices became the sole
responsibility of the original agency, and the computer equipment being put up
for sale has to be certified as not having a hard drive, the report said.
The audit was launched after
state law enforcement officials investigated allegations of illegal activity at
the surplus warehouse in 2007.