| By Tim Seeman, Big Radio News Staff |
The owner of a Jefferson County information technology disposition company got more than he bargained for after winning a pair of online auctions for surplus computers from the federal government.
Matt, whose business refurbishes and resells used computers, says he came into possession of unsecured government hard drives that could have contained sensitive information after he bought batches of used machines from federal offices.
“You’d think that they’d have a process or a policy, and that’s when I started doing research and learning there were specific federal information security practices and other standards that clearly had been violated,” Matt said. “Frankly, I was a little bit concerned that after I reported it that I’d end up having to talk to the FBI because the federal agency basically was negligent and careless.
“As a small-business owner, I don’t need that kind of drama, attention or time-suck.”
Big Radio agreed to use only Matt’s first name over concerns for potential retaliation.
One group of four desktop computers came from the U.S. Citizenship and Immigration Services office in Lee’s Summit, Missouri. Matt says his son booted up one of the machines and discovered an intact file structure on a hard drive that was still installed on it. Two other machines also had hard drives still installed, though Matt says those were not powered up after finding the file structure on the first one.
A couple of months later, Matt obtained a lot of 27 laptops from the Veterans Administration Medical Center in Tomah. No hard drives were installed in any of those computers, but when he was moving one, Matt says a manila envelope containing a solid-state hard drive fell out from in between the folded laptop display and the keyboard.
“When it happened the second time, I was literally incensed,” Matt said. He said he had spoken to the property custodian at the VA, who reassured Matt there would not be a repeat of the previous incident — but then there was.
Matt says in both cases, the government characterized all the machines as having been “sanitized” and no longer containing data from their previous uses.
Matt initiated the process to return the hardware to the government after finding the hard drives. He provided email threads to Big Radio in which he coordinates with government employees to send the computers back to Missouri and to Tomah.
Matt says the episode makes him worry about similar breaches because the government regularly sells its surplus IT hardware in online auctions.
“These auctions happen in multiple states, U.S. territories, every single day, and if it’s happened twice to me, it just makes me wonder, like, ‘OK, how many other people has this happened to and they didn’t say a thing?’”
If delivered into the wrong hands, hard drives such as the ones that erroneously came into Matt’s possession could be a boon for hackers or others who might use the information stored on them for nefarious purposes.
Matt says he has been in contact with the relevant inspectors general and U.S. Sen. Tammy Baldwin’s office about the incidents.
“At the end of the day, we entrust government and private businesses with a lot of sensitive what they call PII, or personally identifiable information,” Matt said. “They have a statutory responsibility to safeguard that information, and in these two cases, clearly they’re not doing it. And they should be called out on it.”
