Audit Reveals Poor Computer & Data Disposal Practices At Idaho National Laboratory

Yesterday Government Computer News reported bad computer disposal methods at the Idaho National Laboratory that leaves confidential and restricted data, including nuclear details, vulnerable.

“The Energy Department’s Inspector General, Gregory H. Friedman, has found fault with the Idaho National Laboratory’s technical procedures for removing restricted nuclear data and confidential data from old computers.
DOE agreed with the conclusions of a report Friedman’s office issued, which essentially recommended that the Idaho laboratory adopt and enforce all department policies regarding the handling of excess computers.
Like other DOE and federal agencies, INL operates under laws and rules requiring it to remove various categories of restricted information from its system before disposing of them. DOE refers to the disposal process as ‚Äúexcessing.‚Äù Excessing can involve transferring computers to other agencies or donating them to schools. Systems can also be sold or salvaged, according to a newly released report from Friedman’s office.”

I’ve performed over a hundred third party information security reviews over the past few years, and one issue that is almost always present is inappropriate disposal of both hard copy information along with network and computer equipmetnt. A large number of organizations do the “excessing” indicated in the article.
In fact, in one organization I reviewed, their information “security” policy for computer equipment directed employees to sell old computer equipment on eBay to get the most return possible…and did not mention anything about removing data before trying to recoup money on their old computers.

“‚ÄúWe concluded that INL did not have adequate policies and internal controls for excessing computers and other electronic memory devices to prevent the unauthorized dissemination of unclassified controlled information,‚Äù the report stated.
They added that they did not uncover any additional releases of the controlled information.
According to the report, DOE and its contractor who operates the Idaho lab had failed to properly update their procedures for computer disposal during a 16-month period beginning in November 2004.
Eliminating data from computer systems set for disposal can be an expensive and specialized task.
For example, PC hard drives must be “degaussed,” or exposed to magnetic fields that sanitize their content. Also, in many cases where the hard drives have contained classified information, federal agencies have adopted the policy of destroying the components in metal shredders.
The auditors toured INL’s facilities for storing excess computers and shipping them offsite for disposal after degaussing. They found many hard drives kept in a wooden box outdoors in the lab’s property protection area.”

Yes, proper disposal can be expensive, but it still has to be done. That is a necessary cost of responsible business.
In November 2006 I put together an issue of the Cutter IT Journal, devoting it to privacy, “Avoiding Privacy Pitfalls.”
A couple of the articles covered the problems with computer and data disposal; “Best Practices in Data Destruction” by D.J. Vogel and Mark Fischer and “Gone but Not Forgotten: Protecting PII on Discarded Equipment” by Dr. Andrew Jones.
Dr. Jones describes in his paper his ongoing research on discarded computers and peripherals. His findings are remarkable. Just a few from his initial research included:

“The initial research looked at the situation in the UK and Australia. What researchers discovered was that, for the majority of the secondhand hard disks that were examined, the information they had originally contained had not been effectively removed. As a result, for both organizations and individuals, significant volumes of PII remained that could be accessed with ease. Consequently, the organizations themselves, their customers, and their staff were potentially exposed to a number of crimes, including identity theft, fraud, and blackmail.
Among the organizations that researchers identified as the former owners of the disks were a large leisure services organization, an agrochemical company, a financial services organization, and — perhaps packing the most emotional punch of all — an elementary school. The volume and level of PII researchers found was shocking. If the disks had been purchased by individuals or groups with criminal intent, the information they contained could have facilitated a whole range of crimes against both the previous owners of the disks and the individuals to whom the information referred.
On the disk that had belonged to the leisure services organization, researchers found information relating to current business plans, financial turnover by establishment, and staff lists with national insurance numbers, home address and telephone numbers, and salary details. From the agrochemical company, there was important information on the processes and results of crop trials (although only for conventional crop trials, not trials of genetically modified crops). From the disk belonging to the financial services organization, there was internal business information, including staff details and sensitive internal communications. On the disk that came from the elementary school was information from which individual children could be identified, together with details of their disciplinary and progress records.”

Organizations must be as diligent in the disposal of data…in all forms…as they are in maintaining their firewalls and anti-virus software. Too much personally identifiable information (PII) along with sensitive information that could be used for great harm in a large number of ways continues to be thoughtlessly thrown in the trash or sold in online auctions.

Tags: , , , , , , , , , ,

Leave a Reply