http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000333
Sharon Fisher
May 09, 2006
State and federal regulatory agencies have not yet determined whether
Idaho Power faces any penalties after a salvage operator offered
unscrubbed hard disk drives for sale on eBay Inc.'s auction Web site.
The utility had sold 230 disks to a salvage operator, who sold 84 on
eBay. Most of the drives have been returned to Idaho Power. The
incident was disclosed earlier this month.
The Federal Trade Commission would not confirm or deny whether the
incident is under investigation..
"In theory, there are different statutes that might come into play,
but whether it was a basis for action would depend on the underlying
circumstances," said Alain Sheer, an attorney in the division of
privacy and identity protection in the bureau of consumer protection
for the FTC, in Washington.
The Idaho Public Utilities Commission, which governs Idaho Power,
would only investigate the incident if it has a direct financial
impact on rate payers. a spokesman said.
"If they were to file a rate case and include costs of this mishap,
we?d probably deny those costs," he said. "The only way we would be
involved is if a rate payer filed a complaint that he was harmed."
Meanwhile, a computer security expert who bought 10 unscrubbed Idaho
Power drives over eBay, said he disclosed the problem only after the
utility failed to respond to his inquiries for a month.
Karl Hart, director of information technology at the University of
Cincinnati's college of nursing and a security consultant, bought ten
SCSI drives, in two lots of five, from eBay for $40 per lot. "That
batch came from Idaho Power completely full of data, not cleaned up at
all."
Data on the drives included diagrams of the electric supplier's power
grid, confidential data stored by the Idaho Power legal department
about lawsuits, contracts, property transactions, and complaint
letters, and personal employee data, including Social Security
numbers, birth dates, and payroll information, Hart said. "There were
hundreds of thousands of files on these drives," he said.
Hart said he disclosed his purchase of the unscrubbed drives publicly
after first unsuccessfully trying to notify the utility about the
problem.
A short time later, Hart said he was contacted by Blank Law &
Technology PS in Seattle, a law firm hired by the utility to
investigate the situation. The firm thanked him for notifying Idaho
Power's attention. Hart has since returned the drives to the utility
for disposal. The university received a refund for the purchase, he
said. The law firm declined comment.
The Boise, Idaho-based utility, which supplies electricity to some
460,000 customers in southern Idaho and eastern Oregon, had hired
Grant Korth of Nampa, Idaho, to recycle the 230 drives, the company
said.
Hart said that Idaho Power should have required its outsourcing firm
certify that the drives had been cleaned. He also noted that the issue
extends beyond Idaho Power -- even to his own organization.
Hart noted that he bought 25 used computers from the University of
Cincinnati a year ago to test its drives for a presentation to be made
by his consulting firm, Cincinnati-based Cybercon.
Hart found that the computers unscrubbed drives held university public
safety and criminal records data. The university is now putting
policies putting in place policies to prevent similar problems, Hart
said.
"Even working at the university, it took a while to bring it to their
attention," he said.
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
