New Jersey Agencies Fail to Purge Confidential Data from Discarded Computers

Social Security numbers and confidential data about child abuse cases were among the data found on computers the state of New Jersey planned to sell, auditors found.

The state comptroller's office examined a sample of computers stored in a warehouse and found 79 percent still contained information, according to an audit report released March 9. Nearly a third contained some kind of personal identifying information, such as names and Social Security numbers, the report said.

Under state guidelines agencies in New Jersey must delete all information stored on a computer before redistributing, reselling or disposing of it. State and federal law prohibits releasing confidential data to unauthorized persons.

"At a time when identity theft is all too common, the state must take better precautions so it doesn't end up auctioning off taxpayers' Social Security numbers and health records to the highest bidder," State Comptroller Matthew Boxer said.

The audit of desktops and laptops awaiting an auction was conducted through several visits from July 2008 to December 2010. Auditors found information on 48 of 56 hard disk drives it tested during the audit. The comptroller's staff found data on the tested machines from four state agencies, including one that had been cited in 2009 for discarding computers without properly scrubbing data from the hard drive. The agencies were not named in the report.

The information included a state judge's tax returns, mortgage documents and life insurance trust agreements. Some computers contained personnel reviews, Social Security numbers belonging to New Jersey taxpayers and state employees and personal contact information for former Governor Jon Corzine's cabinet. A computer contained a list of state employees' e-mail addresses, computer passwords and internal staff memos.

Auditors also found 230 files related to state investigative case screenings and child abuse reports, including fatality reports. Many of these files contained names, phone numbers and addresses of children involved. Child immunization records and health evaluation reports were also included in this set of documents

"The availability of such confidential personal information and sensitive business information to third parties through the disposal of state-owned computer equipment presents security risks to the affected individuals and state agencies," the audit said.

Under state rules, other state agencies and local government groups can claim discarded computers within 30 days before they are sold or donated. Even so, auditors found over 900 cell phones earmarked for a non-profit organization in the surplus warehouse that had not been made available to other agencies. Four of the computers in the warehouse that were packed to be sold as scrap were still under warranty, the auditors found.

This kind of potential data breach is not unusual, unfortunately. A global survey of more than 1,500 businesses conducted by British consultancy Kroll Ontrack found that 75 percent did not delete data securely. An audit of computers and other equipment being sold by NASA also failed to properly remove confidential information from the disk drives.

After the comptroller's office informed the Division Of Purchase And Property of the audit findings, the DPP temporarily suspended auction sales of discarded computers. The DPP also informed agencies of the problems and implemented modified policies and procedures and decided that the warehouses will no longer accept any kind of storage media. Sanitizing and deleting data storage devices became the sole responsibility of the original agency, and the computer equipment being put up for sale has to be certified as not having a hard drive, the report said.

The audit was launched after state law enforcement officials investigated allegations of illegal activity at the surplus warehouse in 2007.