Auditor Of Public Accounts
State Auditor Crit Luallen Releases State Government - Wide Auditor's Alert Concerning Security of Surplus Computers Available For Public Sale
State Auditor Crit Luallen today announced that a random sampling of computers, designated as surplus property to be offered for sale to the public, revealed that one computer, formerly used by the Kentucky State Police, contained records of 5,828 people who had been issued access cards to state facilities between December 1997 and August 2002. The records contained personal information, including names and social security numbers, for 5,133 individuals. The majority of these records also contain photographs of the individuals. In response to the finding, Auditor Luallen sent an Auditor's Alert reminding all state agencies that electronic media must be sanitized prior to disposal.
The personal information available on the computer's hard drive included security personnel, State Police officers, high-ranking officials, and 107 members of the media. Ms. Luallen's personal information was also found on the computer.
"In light of recent national media reports about the release of confidential information by a credit card company, it is critical that each agency follow the existing policy requiring that every media system should be sanitized prior to being sent to the Division of Surplus Property for disposal. Failure to do so puts state employees and private citizens at an unacceptable risk that critical, confidential information could be used for inappropriate purposes, especially identity theft, one of the fastest growing crimes in America, with estimated losses exceeding $50 billion," said State Auditor Crit Luallen.
Following a similar Auditor's Alert issued in February 2003, the Governor's Office of Technology released a policy identifying acceptable methods to sanitize a computer. According to documents submitted to the Division of Surplus Property by the Kentucky State Police, the computers to be sold had been sanitized. However, that was clearly not the case. All other State Police computers to be surplused were subsequently examined and each was found to be in compliance with the sanitation policy.
"It appears this one computer was inadvertently overlooked. However, with so much potential for disaster accompanying the release of such information, I want to reiterate to every state agency to make sure they sanitize each and every computer or other electronic media," Luallen said.
The computer hard drive also contained history logs of the use of each access card. These logs contained the recorded movements of the individual using the access card throughout state offices.
The Auditor's Office's Division of Special Examinations and Information Technology routinely examines computers prior to their disposal as surplus property. The State Auditor commended the Finance and Administration Cabinet, Division of Surplus Property, for quickly responding to the current problem. All computers were held prior to delivery to the buyer.
The Auditor's Office, in the form of an Auditor's Alert, periodically offers guidance and recommendations to public officials regarding fiscal matters, accountability, and best practices.