WASHINGTON — Metro failed to erase hard drives before putting them up for auction as surplus, exposing some employees’ personal information, an internal audit found.
The audit, accepted Thursday by the Metro Board’s Audits and Investigations Committee and completed last fall, notes that a similar issue was identified in 2012 in a separate audit also done by Metro’s Office of the Inspector General.
In this case, auditors looked at two PC hard drives that were available for public auction last August. Both had been used by the Department of Rail Services and still had accessible data.
One of the drives had tax software and 2,326 files. The other had 2,783 files.
“Both hard drives contained PII [Personally Identifiable Information], such as the names of 19 previous users,” the audit found.
The drives were sent straight to the storage facility, rather than first going to the IT Department to be erased.
The IT Department also could not show it conducted its own required audits to be sure hard drives and other electronic data storage systems are erased before being disposed of or sold.
“Failing to remove data from storage media prior to its transfer or disposal, increases the risk that critical and sensitive business data stored on storage media may be compromised and used for other than legitimate purposes,” the inspector general’s office found.
Metro management agreed with the audit, and agreed to make sure hard drives are properly erased in the future.