http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000333 Sharon Fisher May 09, 2006 State and federal regulatory agencies have not yet determined whether Idaho Power faces any penalties after a salvage operator offered unscrubbed hard disk drives for sale on eBay Inc.'s auction Web site. The utility had sold 230 disks to a salvage operator, who sold 84 on eBay. Most of the drives have been returned to Idaho Power. The incident was disclosed earlier this month. The Federal Trade Commission would not confirm or deny whether the incident is under investigation.. "In theory, there are different statutes that might come into play, but whether it was a basis for action would depend on the underlying circumstances," said Alain Sheer, an attorney in the division of privacy and identity protection in the bureau of consumer protection for the FTC, in Washington. The Idaho Public Utilities Commission, which governs Idaho Power, would only investigate the incident if it has a direct financial impact on rate payers. a spokesman said. "If they were to file a rate case and include costs of this mishap, we’d probably deny those costs," he said. "The only way we would be involved is if a rate payer filed a complaint that he was harmed." Meanwhile, a computer security expert who bought 10 unscrubbed Idaho Power drives over eBay, said he disclosed the problem only after the utility failed to respond to his inquiries for a month. Karl Hart, director of information technology at the University of Cincinnati's college of nursing and a security consultant, bought ten SCSI drives, in two lots of five, from eBay for $40 per lot. "That batch came from Idaho Power completely full of data, not cleaned up at all." Data on the drives included diagrams of the electric supplier's power grid, confidential data stored by the Idaho Power legal department about lawsuits, contracts, property transactions, and complaint letters, and personal employee data, including Social Security numbers, birth dates, and payroll information, Hart said. "There were hundreds of thousands of files on these drives," he said. Hart said he disclosed his purchase of the unscrubbed drives publicly after first unsuccessfully trying to notify the utility about the problem. A short time later, Hart said he was contacted by Blank Law & Technology PS in Seattle, a law firm hired by the utility to investigate the situation. The firm thanked him for notifying Idaho Power's attention. Hart has since returned the drives to the utility for disposal. The university received a refund for the purchase, he said. The law firm declined comment. The Boise, Idaho-based utility, which supplies electricity to some 460,000 customers in southern Idaho and eastern Oregon, had hired Grant Korth of Nampa, Idaho, to recycle the 230 drives, the company said. Hart said that Idaho Power should have required its outsourcing firm certify that the drives had been cleaned. He also noted that the issue extends beyond Idaho Power -- even to his own organization. Hart noted that he bought 25 used computers from the University of Cincinnati a year ago to test its drives for a presentation to be made by his consulting firm, Cincinnati-based Cybercon. Hart found that the computers unscrubbed drives held university public safety and criminal records data. The university is now putting policies putting in place policies to prevent similar problems, Hart said. "Even working at the university, it took a while to bring it to their attention," he said. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 09 2006 - 23:56:25 PDT