When computers used by Metro's staff are auctioned or thrown away, all the files are supposed to be erased.
But that's not what happened with two computers with "WMATA business data" and users' personal information on them, a new report from Metro's inspector general says.
A report released in late May says an audit conducted in August found that two hard drives available for public auction contained thousands of files and the names of several previous users.
"These hard drives contained WMATA business data and user personally identifiable information (PII), which in the wrong hands, could be used for other than legitimate purposes," the report says.
The problem was discovered when Office of Inspector General staff selected two hard drives available for public auction and examined them.
The inspector general recommended increased security controls, which Metro agreed to, the report says.
A previous report by the inspector general, in 2012, also found that files were not erased before computers were auctioned.