NJ employs turdbranes?

[nihil]

This is barely believable.............With this sort on nonsense why should anybody bother about IT security?

NEW YORK (Reuters) - Child abuse reports, Social Security numbers and other highly sensitive data were discovered on a batch of government computers headed for the auction block to be sold by the State of New Jersey, authorities said on Thursday.

State workers preparing the equipment for sale had opted not to use a device designed to magnetically erase sensitive data from hard drives because it was noisy, the comptroller's office said in a news release.
"The first thing we did was suspend the auctions and remove all the hard drives," McAleer told Reuters.

Among the delicate information found on the computers was a list of state-supervised children, along with their birth dates and Medicaid numbers, a state judge's file including his life insurance, tax returns and attorneys in disputes or with emotional problems and personnel reviews and computer passwords of state employees.
Now that the hard drives have been removed, many of the computers are now being sold without them, McAleer said.

Oh sure! the auction must go on.......

ARTICLE

http://whtc.com/news/articles/2011/m...ensitive-data/

[westin]

It is pretty sad... These things don't even surprise me anymore. I just kind of shake my head, and mutter something about restructuring...

[nihil]

Hi westin,

I am afraid that this is typical of what happens when you give ill-disciplined people a job that they don't want to do?.......or is there more to it than that?

I recall seeing an officer's assessment report once.............his CO had written: "works well, when cornered like a rat, and closely supervised"

I do recall using electromagnetic wiping boxes............they didn't make any noise to speak of.........well, no more than a microwave.

What puzzles me is that the ones used on HDDs were destructive? they would wipe the contents of the control card chips..........firmware etc, as well as the platters. The drives were totally unusable afterwards.

So, it seems to me that these people were too lazy to pop the cases and take out the HDDs?

From what I can see, there was never any intention of redeploying the HDDs. They were earmarked for destruction from the start.

Doing a 3 or 7 pass wipe would take some time, so that was probably rejected; and in the case of sensitive data would not be an option unless the redeployment was internal.

I strongly suspect fraud here

If I go to an auction and buy sealed pallets of kit: "unseen", I am not going to pay top dollar, particularly if I expect that they don't have HDDs. If, on the other hand, I know that they do have HDDs, I will win the auction, because I would be prepared to pay that bit more?...........

I wonder how much he/she was going to get paid for this "mistake"?

EDIT:

I forgot to mention.............this is the first time this procedural anomaly has been discovered..........so how many computers have they sold prior to that???

Maybe we have a member who lives in NY or NJ who would like to discretely contact the NYT (or whoever) and see if there is an up and coming investigative journalist who would like a scoop on the potential fraud and previous incompetence angle?...how many people's private data have already been compromised?................... not that I like to see politicians and their "paper tiger running dogs" squirm or anything..........it's just that this lot are beyond my effective range

Over here we call "public servants" : "civil servants" and have a well known interpretation of that description, which is: "civil to no man, and servant to the devil"

[ShagDevil]

Nihil, I work at one of the departments audited for the drives sent to surplus.

Without getting into too much detail, I can tell you a few things.

It wasn't fraud. It was poor planning, poorly enforced mandates, and lack of communication between departments and the state's primary IT department.

I call also assure you that I am -not- lazy, incompetent, or a "turdbrane". So maybe you can ease off taking digs into people when your information is limited.

[westin]

In nihil's defense, when I hear about an organization that fails to wipe sensitive information off of hard drives because it is too noisy, the first thing that comes to mind is incompetence. There are so many ways that this could have been avoided. Sure DBAN can take a little while, but it is better than paying for credit monitoring for everyone affected. As previously stated... just remove the HDDs... then you could destroy them any number of ways. What was the hangup?

[ShagDevil]

when I hear about an organization that fails to wipe sensitive information off of hard drives because it is too noisy, the first thing that comes to mind is incompetence

That's a separate department and if they don't want their degausser, I'll gladly take it.

There are so many ways that this could have been avoided

Of course. For starters? Get your circulars & mandates into the hands of the people that need them. Like me. When I come on board a new department, I -need- that kind of information. For the people putting out the information, -verify- that I got it. Make me sign -something- as proof that I did in fact get the proper documentation. Hell, make all IT staff take an online course on state mandates regarding excess hardware. We do it for everything else, why not this? (That's the poorly enforced mandates part).

As previously stated... just remove the HDDs

Ideally that's what one would think. However, there was no clarity on what state the computers needed to be in when they were dropped off at surplus. (That's the lack of communication between departments and the state's primary IT department part)

What was the hangup?

In our particular case, 2 drives went to surplus that weren't supposed to. It was purely accidental. We were in the middle of a reorganizing a substantial amount of excess hardware within very limited storage space. Unfortunately, 2 systems that crashed (which were not wiped) got put in the same room as 20 other systems (which were wiped) destined for surplus. (That's the poor planning part).

Had there been a clear-cut mandate to remove the drives, my life would have been MUCH easier. I actually spent MORE time wiping the drives then just pulling the damn things out. In addition, I got drilled by the auditors like little or no effort was put in to clean these drives when that's the furthest thing from the truth.