State of New Jersey Office of the State Comptroller Disposition of Excess and Surplus Computer Equipment
– The Division of Purchase and Property (DPP) in the Department of Treasury is responsible for, among other things, the coordination and redistribution of computer equipment within state government. – All state departments, send DPP their surplus computer equipment. – Operations performed by Division of Property Management and Construction because they operate the warehouse. Background
– If equipment cannot be redistributed, it is sold at auction as scrap. Unless valuable equipment is identified, the equipment is sold in lots of 24 pallets of mixed equipment. – Data removal is the responsibility of agencies sending equipment, but in the past, Treasury personnel had become aware of instances of equipment containing data passing through the surplus process. Background
Pallets Ready For Auction
Data Issues – Policy requires degaussing of hard drives. Degaussing involves exposing electronically stored data to a magnetic field, effectively scrambling the bits on the drive, making the data useless. Degaussing, while effective, does not allow the State to redistribute some equipment efficiently. – The State data protection procedures put data protection in the hands of data owners.
Audit Procedures – Utilized non-statistical sampling method. – Checked computers at various stages: Arriving from an agency On the warehouse floor Disassembled loose hard drives Computers packaged for sale
Audit Procedures, contd. – Equipment was retrieved over multiple weeks, on different days, to help prevent observation bias. Checked 103 computers and found 39 drives. Pulled 19 loose hard drives for a total of 58 drives. Sample still limited by agencies inventory cycles.
One pallet, half disassembled
Limitations – Limited testing to desktop and laptop PCs. Also tested smart phones, but encryption prevented further examination. – Did not test servers, copy machines or other products. Lack of available expertise and news reports about the problems with copy machines also made this a well- known problem.
What we looked for – Connected drives as external media using a drive kit to a Windows XP machine. – First reviewed common file locations, such as My Documents. – Then searched for commonly used productivity software extensions: DOC, DOCX XLS, XLSX PDF ZIP, RAR Various common database extensions.
Data Classifications – NJs data classification is defined into four categories: Personal (Highest, covered by other privacy laws, SSNs, HIPAA information) Confidential (Sensitive information not available through public records requests) Secure (non-public information that would normally be accessible through a public records request) Public (Publicly available information) Also noted non-business data, such as users personal or incidental files.
Technical Method -Due to the cost of forensic software, consulted with NJ State Police computer crimes unit to find an alternative. -Utilized File Scavenger, a commercially available program ($50), to search drives. -Connected as external hard drives to Windows XP machine.
Second Pass – To ensure that Personal and/or Confidential data did not exist, we ran the data recovery tool. – Objective was to locate deleted files. Remember, a deleted file is not really deleted. – Two modes for search: Quick scan- few minutes – could recover recently deleted files. Deep scan- hour+ - if files could not be recovered using Quick scan method.
Findings -46/58 drives (79%) had data (not degaussed). -37/58 drives had data that was business-related. -13 drives had personal and 5 had confidential data.
In depth review of 5 drives -One drive contained over two hundred files from State investigative case screenings for child abuse, endangerment and neglect. Files had child immunization records, a health evaluation; many had names and addresses of children. -Another had been used by a higher-level official, and contained internal memoranda, internal briefings for a State cabinet level officer, work plans for individual staff and the personal contact information for several State cabinet-level officers. -One contained an Outlook archive that included login credentials for multiple users computers and personnel reviews containing SSNs.
In depth review of 5 drives, contd. -Still another had vendor payments for children placed outside of the home by a department, with names, addresses and phone numbers, along with case information. -Personal life insurance trust agreement, three years of tax returns, a final mortgage payment letter including the address of the property and account number; the individuals Social Security number; a confidential fax concerning an employee personal emotional problems; and memoranda concerning potential attorney impropriety.
Agency Responses -One agency had degaussing equipment but staff would not use it because of noise and magnetic fields. -Another stated the person responsible for the sending of drives was no longer employed with the agency
Agency Responses, Contd. -Treasury suspended auction sales based on our findings, and temporarily did not accept storage media of any kind. -Agencies must certify the removal of all storage media for a shipment to be accepted. -One of the agencies had also been previously identified by treasury as a sender of confidential data.
Prescribed Equipment Controls -Computer disposal process criteria well laid out -Agency declares equipment surplus. -List is distributed to eligible State agencies, with detailed information about the equipment. -If the equipment can be reused, it should be transferred. -If it reaches the Warehouse, it is held and some good equipment is made available to local government and non-profits through a formal offering at regular intervals. -Non-usable equipment is to be sold at public auction.
Actual procedure -We observed that: Equipment would sometimes be sent without notice. Agencies were informed based on known need, there was no formal list of people looking for equipment. One person was responsible for all equipment controls and reporting. Equipment was not held for the required period.
Actual Procedure, Contd. Usable equipment was sometimes sold due to a lack of floor space. Some departments were taking equipment, while other departments were more often dropping off. While a guard and camera existed, we observed some State employees not signing in and pulling straight to the warehouse loading dock for equipment.
Equipment on the Floor
Equipment Control Review -Reviewed documentation for 11 shipments, 2 did not have any packing list or inventory, and none were certified of data removal. -A check of equipment serial numbers against vendor warranty website indicated that four computers were still under warranty when they were on a pallet waiting to be sold.
Equipment Control Review, Contd. -Equipment was transferred to local government agencies and non-profits through the same procedure used for State agencies. 2,000 various items had been redistributed this way items over 15 months. 900 cellular telephones were supplied to a non-profit after being specifically held for them. Agencies had not been notified of availability. -Agencies outside State government had not been informed of available equipment through the proscribed procedure since No cost-benefit analysis.
Outcome – State of New Jersey no longer selling drives with data, preventing the risk of a future data breach through this channel – NJ State Legislature passes Public Law 2011, Chapter 225, revising the procedure for data protection in the disposal process Expands definition of equipment to be protected to include portable communication devices. Empowers Director of Purchase and Property to set standards for redistribution of equipment, including usability and the amount of time equipment should be held. Codifies supervision and controls over inventory of surplus computers.