DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS Division of Housing and Community Renewal not always wiping data before selling devices as surplus – Audit

Posted on July 6, 2013 by Dissent

While the NYS Department of State got a clean bill of health on their disposal of devices, the NYS Division of Housing and Community Renewal did not fare as well in an audit of its inventory and disposal procedures.  An audit by the NYS Office of the State Comptroller, released on June 25, reports:

Division of Housing and Community Renewal
Disposal of Electronic Devices (Issued 06/25/13)

Purpose
To determine if surplus electronic devices approved for sale by New York State Division of Housing and Community Renewal (Division) are permanently cleaned of all data, including personal, private and sensitive information (PPSI). The audit covers the period of June 1, 2012 through March 13, 2013.

Background
New York State Policy requires all State entities to establish formal procedures to address the risk that personal, private or sensitive information may be improperly disclosed. One way information can be compromised is through careless disposal of electronic devices. Agencies may dispose of electronic devices on their own; however the Office of General Services (OGS) provides this service for many State agencies, including the Division. Agencies are required to remove all information prior to disposal and, if sending them to OGS, to certify in writing that the devices no longer contain any retrievable information.

Key Findings

  • We tested a total of 752 electronic devices at both the Albany and the New York City offices. In Albany, two devices still contained general agency information and personal pictures, but none contained PPSI. In New York City, 13 hard drives showed indications that they still contained data. We did not forensically examine their content due to technical issues that made it impractical to apply modern forensic software tools against their older technology. Instead, we returned these drives to Division staff so they could be properly wiped of data.
  • We were unable to locate 17 computer hard drives that had already been removed from computers and were scheduled for shredding. The Division has no record of what information may have been on these missing drives and it is unclear whether they have been stolen, reused or simply misplaced.
  • We also could not locate 18 servers listed on the inventory records. Subsequently, the Division provided documentation showing it had sold 24 servers about 18 months earlier. However, the documentation did not include asset numbers and, therefore, provided only limited assurance that these were the same devices still listed on the inventory records.
  • We also could not locate eight other devices listed on inventory records and found one device recorded as surplus that was actually still in use.

Key Recommendations

  • Implement the Office of General Services’ recently released policy and procedure for removing memory components from surplus electronic devices.
  • Reinforce policies and procedures over the asset management system so that accurate records are maintained and assets are safeguarded, including periodic physical inventories to ensure the accuracy of records and assets are safeguarded.

Link to full audit report (2012-S-101)

Other Related Audits/Reports of Interest

Office of General Services: Disposal of Electronic Devices (2012-S-4)

Related posts:

  • Nice to see positive audit results!
  • NYS Comptroller finds IT security deficits in towns of Babylon and Salina
Category: Commentaries and Analyses

Post navigation

← Nice to see positive audit results!
Quayside Publishing notifies online customers of breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people
  • Terrible tales of opsec oversights: How cybercrooks get themselves caught
  • International Criminal Court hit with cyber attack during NATO summit
  • Pembroke Regional Hospital reported canceling appointments due to service delays from “an incident”
  • Iran-linked hackers threaten to release emails allegedly stolen from Trump associates
  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.