Columbus, Ohio may be placing a lot of sensitive data in danger of theft when it retires old computers according to one security expert. Columbus’ Department of Technology receives guarantees from its computer disposal vendor that all of the hard drives and other parts that may contain sensitive data have been destroyed. However, city technicians have not kept any record of exactly what they have taken out of service and sent for destruction.
Related: Reliable data center in Atlanta, GA.
“This makes it difficult to ensure that all of the retired computers have been disposed of properly,” according to Gene Spafford, a professor from Purdue University who is also executive director of the school’s Center for Education and Research in Information Assurance and Security. “If they don’t have positive tracking between tracking what’s in the system and tracking what’s being disposed of with one-to-one matches of serial numbers, it’s possible for someone to steal the equipment without anybody knowing about it,” he said.
The city government, which handles income-tax records as well as medical records, among other sensitive data, has never lost any of it according to Columbus’ technology director Gary Cavin. Cavin stated that his department has been especially careful since 2007 when a data tape containing personal information on 1.3 million Ohioans was stolen from a state-government intern’s car. Ohio then provided a year of free identity-theft protection to all those at risk at a total cost of $2.2 million.
Officials at The Ohio State University said that they plan on spending $4 million on an investigation and credit protection services after a hacker allegedly accessed records for nearly 760,000 students, professors and other individuals who do business with the university.
It is said that the hard drives should not contain any sensitive material because Mayor Michael B. Coleman issued an executive order back in 2007 prohibiting city workers from storing any sensitive data on their smartphones, laptops or desktop computers. The data must be left on the city’s servers.
According to Cavin, “If they’re storing data on their C drive, they’re not adhering to the city’s work rules. We take the extra step to contract with a reputable organization to destroy those hard drives.”
City receipts show that the contractors handled hundreds of computers and their hard drives from 2006 through 2010. Resource One Computer Systems handled the job in 2006 and 2007 while TechDisposal recycled the computers in 2009 and 2010. However, there were no records provided for 2008. Cavin assumes that no computers were recycled in that year.
City contractors provide receipts of computers which they have handled, however, Cavin’s office could not provide any city-generated records of the devices taken out of service in any of the five years. There were even some points, like last summer, where the city was completely without a recycling contract.
Cavin stated that computers awaiting recycling were stored pending a renewal of the contract with TechDisposal. He could not, however, provide a manifest of the items in storage. Spafford stated that it wouldn’t be costly to set up procedures to ensure that all the drives Columbus takes out of service are disposed of properly. It would only require about 100 hours per year of staff time to log the serial numbers of devices taken out of service and check them against the receipts from the recyclers, Spafford said.
“If you compare that against the potential cost of data release,” Spafford said, “it would be time and money well-spent. A failure to secure personal information is negligence. I can’t say the city is negligent, but a failure to do it would put them at that risk.”
Melinda Frank, income-tax administrator for Columbus, said that her office goes to extra lengths in order to ensure that Internal Revenue Service tax information and other sensitive data do not get released. Records showed that 22 of her office’s computers, some of which still contained hard drives, were recycled at TechDisposal in January.
Frank stated that an employee from her office used software approved by the U.S. Department of Defense to wipe information off of the drives. He then followed the computers to TechDisposal to watch the drives being shredded. Frank said that before a contract for data destruction was established, she and her employees brought in goggles and power drills from home and destroyed unneeded disks and hard drives in their conference room. Frank said that she was confident none of her data got out.
Source: The Columbus Dispatch – City’s computer disposal might pose data-theft risks