Surplus Secrets -- No One Means To Sell Your Personal Financial Data Along With Their Ole Computers - But They Do

Jan 4, 1998

Alex Fryer

Seattle Times Business Reporter

About a dozen computers are stacked in the Redmond home of a self-employed software programmer. They once belonged to Washington Mutual before they were sold as surplus several months ago.

Now, Washington Mutual wants them back, and for good reason. The computers - and perhaps dozens more - contain confidential financial information such as Social Security numbers, loan applications and job histories of an unknown number of Washington Mutual customers.

While Washington Mutual continues to examine how such an oversight could have occurred, computer specialists say it is increasingly common for businesses to inadvertently sell computer equipment with all kinds of private and potentially damaging information.

"The proliferation of data is out of people's control," said John Jessen, managing director of Electronic Evidence Discovery, a Seattle firm that counsels companies on storage and disposal of electronic data. "This (Washington Mutual) is not an isolated incident. It's becoming a recognized problem in some organizations."

Last August, Washington Mutual executives were informed by the software programmer, who asked not to be named, that the Seattle-based thrift had sold hard drives containing personal financial information to him and possibly others for the past five years.

Washington Mutual since has tried to buy back the last batch of computers. The programmer purchased them in August through IBM Global Services, which buys and resells used equipment from corporations, including Washington Mutual. A deal may be reached within a week, said bank officials.

"It's very unsettling," said Libby Hutchinson, spokeswoman for the Seattle-based thrift. "We bank here, too. None of us wants any information - including our own - out there."

Since 1992, Washington Mutual has sold or donated about 3,700 computers. In 1996, it began selling surplus equipment through IBM Global Services. Before then, Washington Mutual sold its computers directly to the public from a warehouse in West Seattle.

IBM Global Services referred all inquiries to Washington Mutual.

"Washington Mutual is continuing to investigate this situation with our technical advisers, IBM Global Services. We are currently reviewing their process for cleaning hard drives to ensure that our customers' confidential information is removed," said Liane Wilson, executive vice president of Washington Mutual.

Washington Mutual will determine how much confidential material has been lost before deciding whether to notify its customers.

Such breaches of security can become nightmares for bank customers. With a Social Security number, thieves can acquire credit cards, obtain phony driver's licenses or open bank accounts. Industry estimates of credit-card fraud alone run as high as $3 billion annually.

The Washington Mutual case is not the first time a local financial-services company sold computer gear with confidential information.

In June 1993, the Seattle office of Arthur Andersen sued the same Redmond software programmer who purchased equipment from Washington Mutual. This time, the programmer bought 30 computer disks that contained internal audits of several local companies, including McCaw Cellular Communications. While Arthur Andersen estimated the value of the disks at about $3,000, the man wanted much more, according to court documents.

"He has made various proposals to sell us back our information for prices up to $25,000 and has threatened to disclose and disseminate the information if we refuse to submit to his extortion demand," said Preston Prudente, director of administration for Arthur Andersen in the Northwest, in written testimony.

Arthur Andersen obtained a temporary restraining order to make sure the information contained on the disks remained confidential. The lawsuit was settled a month later, and the disks were returned.

The software programmer denied he attempted to extort Arthur Andersen. Instead, he said he wanted assurances that the firm would take further steps to ensure that such a leak could not happen again.

Extortion threats - real or perceived - are increasingly common with discarded computers, said Jessen of Electronic Evidence Discovery.

Jessen's firm typically is hired by lawyers seeking critical bits of information in the truckloads of documents that are generated in complex litigation.

Electronic Evidence Discovery also develops data-management systems for a wide range of clients, including several Fortune 100 companies. Jessen has lectured about the growing problem of computer security at Harvard Law School and the Central Intelligence Agency's School of Information Management.

Jessen needs the ability to read thousands of different computer programs, so he buys a lot of out-dated equipment. Some of the files Jessen has come across contained such private information as a list of company employees infected with the virus that causes AIDS.

There's so much information on surplus computers that attorneys involved in high-stakes lawsuits will sometimes search for an adversary's equipment on the used-equipment market.

The laws governing the ownership of surplus data are vague. So far, the best analogy seems to be garbage, said Tiffany Murphy, a lawyer with Electronic Evidence Discovery.

"If you throw garbage out, it varies from state to state whether it still belongs to you or anybody who may find it," she said. "You don't know what the courts will do (with information). Some consider it found treasure."

Companies and individuals that sell directly to the public seem most at risk. Established computer resellers often have systems to erase every hard drive and disk that comes in the door to avoid future problems.

Re-PC Recycled Computers & Peripherals is one of the largest local retailers of used computer equipment. It sells about 2,000 used computers annually, most of which are purchased from businesses.

Its showroom looks like a cross between a garage sale and computer museum - tables are laid out with boxes of disassembled hard-drives and cartons of floppy disks; monitors are stacked like bricks. There are also rows of computers ready to be sold as is.

As a courtesy to its clients, Re-PC reformats every hard drive, wiping it clean.

Asked if he ever encountered confidential information, Re-PC co-owner Steve Hess replied: "We wouldn't have known, nor would we have cared. It's like looking through somebody's attic."

Other resellers say they, too, routinely clean all computer hard-drives before they are put on the market. Individual owners of computers, resellers say, are generally careless about erasing confidential information such as bank information, personal letters - even pornography - before selling their computers.

"I see stuff all the time. It's routine enough that I don't even pay attention to it," said Lawrence Abeyta, a salesman at Seattle Computer Exchange, which buys most of its computers from individuals. "If anyone is concerned, they should probably clean their computers before selling them."

Alex Fryer's phone message number is 206-464-8124. His e-mail address is: afry-new@seatimes.com