State fails to erase PCs

Names, Social Security numbers, pornography discovered on N.C. surplus computers

Pornography, Social Security numbers and even a National Guard troop list were among information found on surplus computers from various N.C. state agencies, according to an audit released Wednesday.

Two-thirds of the 96 computers headed for schools and public sale contained accessible information in violation of state regulations, the N.C. Office of the State Auditor said. And more than a third contained sensitive information not available to the public, the audit said.

Based on what auditors found, "it appears this has been going on for a while," said Dennis Patterson, spokesman for the state auditor's office.

Some surplus state computers are refurbished by prisoners, giving them access to data that could be used by an identity thief or by someone who wanted to hack into state computer systems, the audit said. That program was suspended Wednesday after the audit, though no evidence existed that prisoners got a hold of any information from state computers.

The state regulation for destroying or overwriting hard drives is now under review because of the audit, said Danny Lineberry, spokesman for the N.C. Office of Information Technology Services. One glitch is that the regulation allows hard drives to be reformatted, a process that can be easily undone with software programs.

Computer security experts were not surprised by the news. Hard drives on less than 10 percent of discarded personal and business computers are wiped out thoroughly enough to prevent someone from accessing information, said Charles Hutson, principal consultant for Charlotte computer security firm nGuard.

"People are not thinking about sensitive data," Hutson said. "They think the information is safe ... and it really isn't."

The state code on wiping out computer data does not punish violators. That's up to individual state departments, whose officials talked Wednesday more about sending out reminders of the rules than reprimands.

The exception could be the users of two computers that habitually surfed pornographic Web sites. Those cases have been turned over to the state auditor's investigation unit.

North Carolina adopted the code to wipe, reformat or destroy hard drives in 2002 to protect information stored on 8,000 state computers sent to surplus each year. The rules, which are not available on a public Web site for security purposes, say data must be "permanently removed."

The audit was the first since the regulations took effect.

Nearly all departments had computers that failed to meet the state code during the audit of machines randomly selected late last year at the state surplus property warehouse. Much of the information was tied to the state employee last using the computer, though some of the data belonged to members of the public.

Six of 11 computers from the Department of Crime Control and Public Safety did not meet standards, including one that contained names and Social Security numbers of National Guard troops, the audit said.

"We were shocked to find out what happened," department spokeswoman Patty McQuillan said.

Some computers from the Department of Environment and Natural Resources had just their files deleted rather than wiping out the entire hard drive, spokesman Dean Reuter said. Eight of 12 ENR computers failed to meet standards, the audit said.

Some agencies followed the rules and reformatted hard drives. Of the 14 computers from the Employment Security Commission, 10 had accessible information, including six that were reformatted.

Auditors were able to recover information from 16 computers that reformatted hard drives. State Auditor Ralph Campbell, whose office conducted the review, heads the committee that adopted the security code. Reformatting was seen as a practical measure two years ago, said a spokesman.

Data should be wiped out using programs that cover information on a hard drive with other characters by running programs similar to those used by the Defense Department, said Ted Claypoole, a Charlotte lawyer who specializes in technology issues.

"You've still got a number of companies that aren't doing anything at all," he said.

The city of Charlotte sends 300 to 400 surplus computers annually to a group in the information technology department, which wipes out information using Defense Department standards that does not include reformatting, said Norma Kerns, the city's surplus property manager.

End of the Drive

John McBride, the Observer's Help Desk computer columnist, offers this advice for folks getting rid of their computers:

• The best way to be sure sensitive data never falls into the wrong hands is removing the hard drive from the computer and beating it with a hammer. A new 40 gigabyte hard drive can be had for $60. Removing the hard drive isn't difficult, but involves removing the case and messing with the computer's innards. If you'd rather not attempt this, a computer repair shop would probably do it for a small fee. If you're donating the computer, ask the recipient to remove the hard drive and return it to you.

• If you must keep the hard drive, buy a program from $25 to $50 that claims to securely remove all traces of data from the disk. Some programs include Disk Wiper (www.diskwiper.com); CyberCide (www.cyberscrub.com); and EraserDisk (micro2000.com/ eraserdisk/). You can also get some free utilities from www.download.com and search for "hard disk eraser.