Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Corporate Data Lingering on Old Drives: Advice From The Professionals

Hard Drives Contain Corporate Data

Hard Drives Contain Corporate Data

A 2012 “investigation commissioned by the [UK’s Information Commissioner] found that one in ten second-hand hard drives sold online contained personal information.” A new investigation published this week by Blancco Technology Group suggests that 78% of second-hand drives purchased from eBay and Craigslist now contain recoverable corporate or personal information. It seems that we are not improving our security awareness.

Blancco’s study involved the purchase and examination of 200 drives, both hard disk (around 93%) and solid state (around 8%), from eBay and Craigslist during the first quarter of 2016. While in many cases (but not all) data had been ‘deleted’, Blancco was able to recover data from 78% of the drives. It had been deleted under the operating system rather than securely erased from the drive. This data included company and personal emails, CRM records and spreadsheets.

The ability to recover data from used drives poses three separate threats. Sensitive corporate data can threaten both corporate reputation and corporate IP. Sensitive personal information can lead to identity theft and serious financial issues for the people concerned. But it can also put the company in jeopardy of both federal and state privacy laws — and of course the upcoming European General Data Protection Regulation (GDPR).

“It’s the responsibility of the original user or owner to properly sanitize their equipment before it’s traded in, resold, donated or discarded,” concludes the report. “If individuals simply rely on others to take care of protecting their data, that’s just irresponsible… and can cause serious financial, legal and reputational damage.”

SecurityWeek approached a number of CIOs and chief security officers in major US companies to see how they handle the problem. One, who wishes to remain anonymous, commented, “We either securely wipe hard drives before any redeployment, and then reinstall a base OS; or we physically destroy the drives with a crusher.” He goes further and actually melts the crushed drives to recover any useful metals.

This company does not generally sell old PCs (other than occasionally to staff, or as donations to charities), nor does it sell on to equipment resellers. “The cost of shipping generally wipes out any profit, and not doing so further limits our exposure.”

Asked about personal devices, with BYOD in mind, he said, “We do not generally dispose of personal devices, but we have done so on request. We follow the same process as above. So, yes, this could be a gap, as most users will not securely wipe or crush their hard drives.”

Gary Bailey, VP of IT at Penn Virginia Corporation, explained that he requires the hard drive on an internal PC being re-commissioned to another employee to be completely reformatted and a brand new install loaded on the device. “The same is true for mobile devices,” he added. “They must be completely wiped and re-installed with all new configuration parameters, software, etc.”

Advertisement. Scroll to continue reading.

Penn Virginia is not averse to selling on old equipment to outside purchasers. But, he said, “we require a ‘certificate of destruction’, meaning that the local hard drive is either shredded or completely wiped using DOD (Department of Defense) approved software.”

While these companies have close control over the disposal of old equipment, the Blancco study makes it clear that many companies and individuals do not. And even the most thorough of companies might need to re-examine their processes in light of burgeoning BYOD practices.

Perhaps the main lesson to be learned is that not everybody yet understands the difference between secure erase and a simple OS-level delete. Where companies or individuals do not have the technical capacity to properly erase or completely wipe data, there are software applications that can do it for them. If this cannot be done, old devices should be donated to charities or sold to purchasers who will provide that ‘certificate of destruction’.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...