Files on abused children. Employee evaluations. Tax returns. A list of computer passwords. Names, addresses, birth dates and other information on hundreds of foster children and abused children. And, of course, Social Security numbers.
The information could hardly have been more sensitive — the raw material of identity theft and invasion of privacy — yet the State of New Jersey was about to turn it over to the highest bidder, the state comptroller, Matthew A. Boxer, reported on Wednesday. After the comptroller’s office reviewed computer equipment that the state was preparing to auction to the public last year, it found that 46 out of 58 hard drives, or 79 percent, still had data on them, much of it confidential.
Mr. Boxer’s investigation stopped that sale, but it points to the near-certainty that the state had already inadvertently released privileged information on thousands of people. The state sells or gives away hundreds of computers annually at several auctions, and Mr. Boxer said that as far as he knew, no outside agency had looked into the handling of the equipment before his office did.
“What happened before our auditors got there is obviously an issue of concern,” he said. “The risk here is enormous.”
His report said that one agency had a device that magnetically erased computer drives, but that employees did not like to use it because it was noisy. “I find that offensive,” Mr. Boxer said.
Informed of the security breach, the State Treasury Department, which manages surplus equipment, stopped auctioning computers last year. It is working on a new set of practices for handling them.
Reports of the exposure of private data have become common, each one leading to a round of warnings about identity theft. Computers are lost or stolen, people accidentally post information online, and people are tricked into revealing their secrets.
“Public-agency breaches are disheartening because they have so much data, and much of it is sensitive,” said Beth Givens, director of the group. “Data stewardship should be the top priority for them.”
State offices send used equipment to a warehouse in Hamilton, near Trenton, which is supposed to notify every state agency that it is available. Anything unclaimed after 30 days is given to local governments or nonprofit groups, or is sold at auction.
But the comptroller’s office found that the warehouse staff often failed to follow the rules for notification, steering computers, cell phones and other equipment to favored people in and out of state government. The investigation stemmed from a 2007 inquiry into auction-rigging, theft and other violations at that warehouse, which led to the conviction of four employees.
Thirty-two of the hard drives Mr. Boxer’s team examined held information that should not be made public. Six of the drives had Social Security numbers, including those contained in personnel reviews found in an e-mail archive.
The computers came from the judiciary branch, the Department of Children and Families, the Department of Health and Senior Services, and the Office of Administrative Law. In some cases, no attempt had been made to erase files. In others, investigators were able to recover deleted files using commonly available software.