Secondhand Hard Drives Still Containing Data: Didn’t I Press Delete?
I recently read an article on the website of Storage and Destruction Business (SBD) Magazine about a study of secondhand hard drives in the Australian market. Just a few months ago, in January 2014, The National Association for Information Destruction (NAID) performed a study to determine if hard drives sold onto secondary markets still contained sensitive information from their previous owners.
In short, they purchased hard drives from a variety of easily accessible retailers, such as eBay, and then had a forensic investigator determine if there was sensitive information available on the drives. Out of 52 used hard drives that were purchased, 15 of them still contained sensitive personal and company information. From the 15 drives with information still on them, eight of them had been recycled from organizations, including law firms and a government medical facility; and the remaining seven were individuals’ hard drives with personal information remaining on them.
Used corporate hard drives containing sensitive information sold onto secondary markets has been an ongoing security issue. My two main takeaways from the results of the study:
- Most of the hard drives that were found to still contain sensitive information showed that operators attempted to delete the data. However, after the investigator reviewed the hard drive further, he was able to find that all of the information remaining on the drive was available. NAID CEO Bob Johnson explains further that “the procedure used to find the information is intentionally very basic…. Had the data been properly erased, it could not have been found.” I find it very interesting that with sensitive information at risk and looming high profile data breaches, organizations are not taking the necessary steps to effectively remove the data from the hard drives.
- I find it more important than ever for organizations to implement systems to track all of their hard drives that are offline and make sure information is wiped prior to destruction or reselling. Without systems in place, it is going to be close to impossible to ensure security of your data on every offline asset. Furthermore, if companies are going to rely on other companies to wipe the data, they need to be very careful when choosing those companies. Some recycling and destruction companies still take data removal and asset disposal casually, but not all!
The result of not effectively wiping your data before handing your assets over to a recycling company or choosing a company who has a casual approach to data protection, is simply letting sensitive information get into the wrong hands. As it was with this case, within a few minutes, someone can have access to confidential information between you and your lawyer, your social security information, or your medical diagnoses and prescriptions.
Read the full article here: http://www.sdbmagazine.com/naid-australian-hard-drive-study.aspx