[ISN] Utility may face investigation for sale of unscrubbed drives

[InfoSec News]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000333

Sharon Fisher
May 09, 2006

State and federal regulatory agencies have not yet determined whether 
Idaho Power faces any penalties after a salvage operator offered 
unscrubbed hard disk drives for sale on eBay Inc.'s auction Web site. 

The utility had sold 230 disks to a salvage operator, who sold 84 on 
eBay. Most of the drives have been returned to Idaho Power. The 
incident was disclosed earlier this month.

The Federal Trade Commission would not confirm or deny whether the 
incident is under investigation..

"In theory, there are different statutes that might come into play, 
but whether it was a basis for action would depend on the underlying 
circumstances," said Alain Sheer, an attorney in the division of 
privacy and identity protection in the bureau of consumer protection 
for the FTC, in Washington.

The Idaho Public Utilities Commission, which governs Idaho Power, 
would only investigate the incident if it has a direct financial 
impact on rate payers. a spokesman said.

"If they were to file a rate case and include costs of this mishap, 
we’d probably deny those costs," he said. "The only way we would be 
involved is if a rate payer filed a complaint that he was harmed."

Meanwhile, a computer security expert who bought 10 unscrubbed Idaho 
Power drives over eBay, said he disclosed the problem only after the 
utility failed to respond to his inquiries for a month.

Karl Hart, director of information technology at the University of 
Cincinnati's college of nursing and a security consultant, bought ten 
SCSI drives, in two lots of five, from eBay for $40 per lot. "That 
batch came from Idaho Power completely full of data, not cleaned up at 
all."

Data on the drives included diagrams of the electric supplier's power 
grid, confidential data stored by the Idaho Power legal department 
about lawsuits, contracts, property transactions, and complaint 
letters, and personal employee data, including Social Security 
numbers, birth dates, and payroll information, Hart said. "There were 
hundreds of thousands of files on these drives," he said.

Hart said he disclosed his purchase of the unscrubbed drives publicly 
after first unsuccessfully trying to notify the utility about the 
problem.

A short time later, Hart said he was contacted by Blank Law & 
Technology PS in Seattle, a law firm hired by the utility to 
investigate the situation. The firm thanked him for notifying Idaho 
Power's attention. Hart has since returned the drives to the utility 
for disposal. The university received a refund for the purchase, he 
said. The law firm declined comment.

The Boise, Idaho-based utility, which supplies electricity to some 
460,000 customers in southern Idaho and eastern Oregon, had hired 
Grant Korth of Nampa, Idaho, to recycle the 230 drives, the company 
said.

Hart said that Idaho Power should have required its outsourcing firm 
certify that the drives had been cleaned. He also noted that the issue 
extends beyond Idaho Power -- even to his own organization.

Hart noted that he bought 25 used computers from the University of 
Cincinnati a year ago to test its drives for a presentation to be made 
by his consulting firm, Cincinnati-based Cybercon.

Hart found that the computers unscrubbed drives held university public 
safety and criminal records data. The university is now putting 
policies putting in place policies to prevent similar problems, Hart 
said. 

"Even working at the university, it took a while to bring it to their 
attention," he said.