The Kansas Department of Administration is tightening its computer security standards an audit revealed Wednesday that state equipment slated for sale to the public contained confidential information.
A review of the state surplus property program, which sells outdated equipment to the public, found seven of the 15 machines inspected contained information considered confidential under state and federal law, including one computer that still had 2,856 Social Security numbers in a file.
"After reading through this report, I had to take a couple nitroglycerin tablets and go lay down," said Rep. Virgil Peck, R-Tyro, a member of the Legislative Post Audit Committee that received the results.
Some of the computers were reformatted, but that doesn't permanently delete all files. Auditor Allan Foster demonstrated an off-the-shelf program that can retrieve such data off a hard drive.
He said some state agencies had policies for properly removing information but thought the surplus program would wipe the hard drives clean. Other agencies had no policy at all.
Carol Foreman, deputy secretary of the Department of Administration, wrote in a letter to the Legislative Division of Post Audit that now, when agencies transfer old machines to the surplus program, they will provide a certificate stating all data has been properly removed.
The surplus program also will inspect each computer from now on and notify agencies of improperly cleaned computers.
Gavin Young, spokesman for the Department of Administration, said they also were working with a company that helps destroy hard drives.
In their review of the 15 computers, Foster and his staff found state employee personnel information, the names and Social Security numbers of Medicaid recipients, employee accident reports, and an investigative report into alleged improprieties by a grant recipient.
"The results were pretty disturbing," Foster said.
He warned that the audit didn't grasp the full extent of the problem.
The report focused only on discarded computers in Topeka and didn't include old equipment from state offices outside of Shawnee County.
And officials said it was impossible to know if any of the approximately 600 computers sold through the program last year might have included confidential information.
Young said there have been no reports of identity theft related to computers from
state agencies.
Even one computer slipping into the wrong hands "could cost the state dearly," Foster said, referring to money the state would have to pay to protect affected people from identity theft.
Of the seven computers still containing confidential information, they came from the adjutant general's office, the Department of Administration, the Kansas Health Policy Authority and the Kansas Sentencing Commission
By James Carlson
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment