Thursday, May 29, 2008

Oklahoma Auctions Tax Data-Loaded Drive

Via SecurityProNews -

A computer labeled as coming from the Oklahoma Tax Commission ended up in an auction with personally identifiable information, including Social Security numbers, intact and unencrypted.

With governments like these, who needs enemies? Grifters seeking financial gain at the expense of others don't need to work on botnets or spam Trojans to millions of people, if more locales plan to auction off PC hardware without scrubbing it first.

Granted, my idea of secure hard drive disposal involves degaussers, industrial grinders, and an intense smelting process for the bits; that may be a little excessive, especially when government budgets come into the picture.

But the report at in Oklahoma beggars belief. Any mildly competent security pro should be aghast at how one man managed to purchase 50 computers from a government auction and end up with a treasure trove of personal data on one of them.

Joe Sill found thousands of entries from 2003 about state citizens, including names, addresses, and Social Security numbers, on the machine in question. Such details easily enable identity theft for criminals.

Oklahoma government types said in the report they're trying to figure out what happened. They also plan to enact a new policy prohibiting machines from leaving with their hard drives.

They plan to erase such drives, but the nominal cost of storage these days ought to prompt a different course of action from them. Drives on machines destined for auction should be erased and physically destroyed.

There is no plausible reason to do otherwise. Any techie buying a computer at auction likely knows how to drop in a new hard drive on a deeply discounted machine. As long as the auction says "HD not included," no one should be willing to complain.



No comments:

Post a Comment