http://www.computer
world.com/action/article.do?command=viewArticleBasic&art
icleId=9000333
Sharon Fisher
May 09, 2006
State and federal regulatory agencies have not yet
determined whether
Idaho Power faces any penalties after a salvage operator
offered
unscrubbed hard disk drives for sale on eBay Inc.'s auction
Web site.
The utility had sold 230 disks to a salvage operator, who
sold 84 on
eBay. Most of the drives have been returned to Idaho Power.
The
incident was disclosed earlier this month.
The Federal Trade Commission would not confirm or deny
whether the
incident is under investigation..
"In theory, there are different statutes that might
come into play,
but whether it was a basis for action would depend on the
underlying
circumstances," said Alain Sheer, an attorney in the
division of
privacy and identity protection in the bureau of consumer
protection
for the FTC, in Washington.
The Idaho Public Utilities Commission, which governs Idaho
Power,
would only investigate the incident if it has a direct
financial
impact on rate payers. a spokesman said.
"If they were to file a rate case and include costs of
this mishap,
we’d probably deny those costs," he said. "The
only way we would be
involved is if a rate payer filed a complaint that he was
harmed."
Meanwhile, a computer security expert who bought 10
unscrubbed Idaho
Power drives over eBay, said he disclosed the problem only
after the
utility failed to respond to his inquiries for a month.
Karl Hart, director of information technology at the
University of
Cincinnati's college of nursing and a security consultant,
bought ten
SCSI drives, in two lots of five, from eBay for $40 per lot.
"That
batch came from Idaho Power completely full of data, not
cleaned up at
all."
Data on the drives included diagrams of the electric
supplier's power
grid, confidential data stored by the Idaho Power legal
department
about lawsuits, contracts, property transactions, and
complaint
letters, and personal employee data, including Social
Security
numbers, birth dates, and payroll information, Hart said.
"There were
hundreds of thousands of files on these drives," he
said.
Hart said he disclosed his purchase of the unscrubbed drives
publicly
after first unsuccessfully trying to notify the utility
about the
problem.
A short time later, Hart said he was contacted by Blank Law
&
Technology PS in Seattle, a law firm hired by the utility to
investigate the situation. The firm thanked him for
notifying Idaho
Power's attention. Hart has since returned the drives to
the utility
for disposal. The university received a refund for the
purchase, he
said. The law firm declined comment.
The Boise, Idaho-based utility, which supplies electricity
to some
460,000 customers in southern Idaho and eastern Oregon, had
hired
Grant Korth of Nampa, Idaho, to recycle the 230 drives, the
company
said.
Hart said that Idaho Power should have required its
outsourcing firm
certify that the drives had been cleaned. He also noted that
the issue
extends beyond Idaho Power -- even to his own organization.
Hart noted that he bought 25 used computers from the
University of
Cincinnati a year ago to test its drives for a presentation
to be made
by his consulting firm, Cincinnati-based Cybercon.
Hart found that the computers unscrubbed drives held
university public
safety and criminal records data. The university is now
putting
policies putting in place policies to prevent similar
problems, Hart
said.
"Even working at the university, it took a while to
bring it to their
attention," he said.
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|