34% of discarded hard drives contain confidential data
7/May/2009
A study sponsored by BT and Sims Lifecycle Services and carried out by the forensic computer science laboratories at University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US, has revealed that 34% of discarded hard drives still contain confidential data. The nature of the data might even have threatened national security if found by the wrong hands:
An array of discarded hard drives - the study revealed that 34% still contain confidential data
- A disk bought on eBay revealed details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The disk also contained information belonging to the system’s designer, Lockheed Martin. This included security policies, blueprints of facilities and personal information on employees, including social security numbers. Lockheed Martin denies the disk came from them and currently an investigation is being completed into where it came from.
- Two disks from the UK appear to have originated from Lanarkshire NHS Trust containing information from the Monklands and Hairmyres hospitals including: patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters. In Australia one disk was found to be from a nursing home that contained similar information including pictures of actual patients and their wound photos.
- A disk from a US bank revealed account numbers and details of proposals for a $50 billion currency exchange through Spain. There also appeared details of business dealings originating in the US with organisations in Venezuela, Tunisia and Nigeria. Personal correspondence was also found from a member of the Federal Reserve Board suggesting one of the deals, already under scrutiny by the European Central Bank, looked suspicious.
- Confidential material including network data and security logs from the German Embassy in Paris were discovered on a disk from France.
- A number of disks contained data from a well known UK based fashion company– including information relating to trading performance, budgets, discount codes and customer names and addresses. Another contained what appeared to be corporate data from a major motor manufacturing company – including references to design and engineering for vehicle interiors.
Mobile phones store a range of confidential data which also needs to be destroyed prior to disposal
Jon Godfrey of Sims Recycling Solutions, who provide secure data destruction as part of their global electronic asset recovery business said: “it is clear from the sensitive information revealed by this study that a wide range of organisations, businesses and individuals all over the world are fundamentally failing in their duty to properly manage sensitive data when their IT equipment passes outside of their control. IT Directors budget vast amounts of money on data security to protect live data on the equipment they use day-to-day, yet fail to realise that the data has a value which far exceeds the useful life of the equipment.
“It is vital to realise that residual data can still be accessed years after the equipment has been discarded and in the wrong hands could have not only financial consequences but potential implications for national security. It is essential that organisations destroy data via a professional and secure data destruction system or through physical destruction, before passing the equipment for secondary use.
The volume of data being recklessly discarded is growing exponentially with the size and diversity of devices. They hold a snapshot of our lives and must be erased or recycled professionally. The problem is not just limited to hard disk drives. Mobile phones, MP3 players, SatNavs, Printers and even set top boxes all store a snapshot of our lives and this information is finding its way to China, Africa and Eastern Europe.
This interest is demonstrated in recent findings from Nigeria that show devices with data on are more expensive than those which have had data securely erased. This means the data dictates the price and not the specification of the device. In other words there is an illicit demand for data.