About a dozen computers are stacked in the Redmond home of a self-employed software programmer. They once belonged to Washington Mutual, a Seattle savings and loan, before they were sold as surplus several months ago.
Now, Washington Mutual wants them back, and for a good reason. The computers–and perhaps dozens more–contain confidential financial information such as Social Security numbers, loan applications and job histories of an unknown number of Washington Mutual customers.
While Washington Mutual continues to examine how such an oversight could have occurred, computer specialists say it is increasingly common for businesses to inadvertently sell computer equipment with all kinds of private and potentially damaging information.
“The proliferation of data is out of people’s control,” said John Jessen, managing director of Electronic Evidence Discovery, a Seattle firm that counsels companies on storage and disposal of electronic data. “This is not an isolated incident. It’s becoming a recognized problem in some organizations.”
Last August, Washington Mutual executives were informed by the software programmer, who asked not to be named, that the thrift had sold hard drives containing personal financial information to him and possibly others for the past five years.
Washington Mutual is now trying to buy back the last batch of computers, purchased through IBM Global Services, which buys and resells used equipment from corporations.
“It’s very unsettling,” said Libby Hutchinson, spokeswoman for the Seattle-based thrift. “We bank here, too. None of us wants any information–including our own–out there.”
Since 1992, Washington Mutual has sold or donated about 3,700 computers. In 1996, it began selling surplus equipment through IBM Global Services. Before then, Washington Mutual sold its computers directly to the public.
Such breaches of security can become nightmares for bank customers. With a Social Security number, thieves can acquire credit cards, obtain phony driver’s licenses or open bank accounts. Industry estimates of credit card fraud alone run as high as $3 billion annually.
The Washington Mutual case is not the first time a Seattle financial-services company sold computer gear with confidential information.
In June 1993, the Seattle office of Arthur Andersen sued the same Redmond software programmer who purchased equipment from Washington Mutual. This time, the programmer bought 30 computer disks that contained internal audits of several local companies, including McCaw Cellular Communications. While Arthur Andersen estimated the value of the disks at about $3,000, the man wanted much more, according to court documents.
“He has made various proposals to sell us back our information for prices up to $25,000 and has threatened to disclose and disseminate the information if we refuse to submit to his extortion demand,” said Preston Prudente, director of administration for Arthur Andersen in the Northwest, in written testimony.
Arthur Andersen obtained a temporary restraining order to make sure the information contained on the disks remained confidential. The lawsuit was settled a month later, and the disks were returned.
The software programmer denied he attempted to extort Arthur Andersen. Instead, he said he wanted assurances that the firm would take further steps to ensure that such a leak could not happen again.
Extortion threats–real or perceived–are increasingly common with discarded computers, said Jessen of Electronic Evidence Discovery.
Jessen’s firm typically is hired by lawyers seeking critical bits of information in the truckloads of documents that are generated in complex litigation. Some of the files Jessen has come across contained such private information as a list of company employees who are HIV-positive.
