TOPEKA, Kan. - The Legislative Post Audit Committee Wednesday, June 18, indicated that several old state agency computers had not had their drives swept clean before being put up for sale. One of those held 2,800 social security numbers.
The committee completed the audit of surplus computer equipment in about a month. The mission was to determine whether state agencies effectively remove software and agency data from surplus computers.
They picked some computers that had come into Surplus Property, and some that had already been processed. Of the 15 computers they checked, five had no data on them - the way they're supposed to be. They were able to retrieve data from the other 10, meaning they could access information the companies had in the computer.
"I was surprised at the extent of the problem," said Allan Foster, internet technology auditor with the Legislative Division of Post Audit.
There were four agencies that had data: Department of Administration, the Sentencing Commission, Health Policy Authority and the Adjutant General's Office.
"Some of them had the mistaken impression that Surplus Property was actually wiping the computers," said Foster. "They did something to the computers, but it really wasn't sufficient to take the data off. The data wasn't apparent when you booted the computer up, but if you used the right software you could see the data."
If the 2,800 social securities numbers the Audit Committee found on the computers had been sold to an organization or the public, it could have been a disaster.
"Worse case scenario would be somebody got that list who wanted to sell it to somebody that could use it to steal identities or other nasty things," said Foster. "That would be the worst case scenario: that all those people would have their identities stolen."
"One of our recommendations was that ITech - which is the policy-setting body for state government - adopt a stronger policy," said Foster. "I think they meet in July and they'll adopt that policy then."