Giving Away A Little Too Much?

On a near weekly basis, The Credit Union Journal's Community Page includes reports of credit unions that have donated used personal computers to various charities.

But could a credit union unknowingly send along member data with those donations? IT managers interviewed by The Credit Union Journal that the answer could be yes, but said that in their cases they had taken numerous steps to ensure used computer hard drives slated for donation were wiped clean.

The caution taken by some credit unions runs counter to the findings of one recent report, which found nearly half of computers donated to charity included private information stored on their hard drives.

One reason many credit unions say they feel safe that member information hasn't been unwittingly given away is that most don't usually store confidential data on PCs.

"Our members' personal and financial files are kept with a service bureau, so there's nothing stored on a computer itself," explained Wendy Spachman, information systems manager at $215-million Merck Sharp & Dohme FCU in North Wales, Penn.

"But you never know what people put on a computer, so I guess there's always a possibility that it might hold sensitive data."

That's why Merck Sharp & Dohme didn't take chances with a recent donation of 17 Compaq DeskPros with processors ranging up to 166 megahertz. Spachman reformatted the hard drives with recovery disks and then reloaded the operating systems. "The machines go back the same way we got them," Spachman said.

For example, if the computer ran on Windows 98 before the CU reformatted the hard drive, then Windows 98 is reinstalled for donation.

But not everyone is so careful. Personal information was recovered on almost 40% of the used hard drives bought online and at computer stores in a recent study published in the online magazine IEEE Security & Privacy.

Other CU executives echoed Spachman's opinion: It seems unlikely that members' financial information could be found on machines donated by a CU, but that doesn't mean it can't happen.

Travis Credit Union, Vacaville-Calif., uses a terminal emulator program to store member data, said Craig Beaudry, assistant VP-information technology. "For the most part, our computer hard drives wouldn't contain any member data. "But there is always the risk," he continued.

The risk is higher depending on who has been using the computer, according to Adam Lambert, information systems coordinator at Pearl River, NY-based Palisades FCU.

"Only a few of my machines would require some extra processing to remove data. For example, management-level machines would be more likely to have confidential data."

Both $1.1-billion Travis CU and the $110-million Palisades FCU make efforts to clean up their hard drives before donation.

Palisades FCU donated 18 PCs with Pentium and 486 processors in 2001 to charity.

"I checked for any Microsoft Word documents with information and found none, so that wasn't a problem," said Lambert. "The only thing I removed was our host connectivity software."

Of course, Lambert then runs "low-level" formatting to wipe the hard drives.

However, to err on the side of caution, he said future machines set aside for donation will undergo a "more vigorous wipe" with software that "can do multiple passes and randomize the overwriting of data."

As a matter of practice, Palisades stores critical data on a file server and host mainframe server, not only to protect members, but also to centralize data storage, backup, and retrieval, he said.

Travis CU also plays the safe side, running a program that "wrote ones and zeros over every piece of the hard drive and then erased it," for the most recent computer donation, Beaudry noted.

"This process was run at least 10 times on each drive."