A 2012 “investigation commissioned by the [UK’s Information Commissioner] found that one in ten second-hand hard drives sold online contained personal information.” A new investigation published this week by Blancco Technology Group suggests that 78% of second-hand drives purchased from eBay and Craigslist now contain recoverable corporate or personal information. It seems that we are not improving our security awareness.
Blancco’s study involved the purchase and examination of 200 drives, both hard disk (around 93%) and solid state (around 8%), from eBay and Craigslist during the first quarter of 2016. While in many cases (but not all) data had been ‘deleted’, Blancco was able to recover data from 78% of the drives. It had been deleted under the operating system rather than securely erased from the drive. This data included company and personal emails, CRM records and spreadsheets.
The ability to recover data from used drives poses three separate threats. Sensitive corporate data can threaten both corporate reputation and corporate IP. Sensitive personal information can lead to identity theft and serious financial issues for the people concerned. But it can also put the company in jeopardy of both federal and state privacy laws — and of course the upcoming European General Data Protection Regulation (GDPR).
“It’s the responsibility of the original user or owner to properly sanitize their equipment before it’s traded in, resold, donated or discarded,” concludes the report. “If individuals simply rely on others to take care of protecting their data, that’s just irresponsible… and can cause serious financial, legal and reputational damage.”
SecurityWeek approached a number of CIOs and chief security officers in major US companies to see how they handle the problem. One, who wishes to remain anonymous, commented, “We either securely wipe hard drives before any redeployment, and then reinstall a base OS; or we physically destroy the drives with a crusher.” He goes further and actually melts the crushed drives to recover any useful metals.
This company does not generally sell old PCs (other than occasionally to staff, or as donations to charities), nor does it sell on to equipment resellers. “The cost of shipping generally wipes out any profit, and not doing so further limits our exposure.”
Asked about personal devices, with BYOD in mind, he said, “We do not generally dispose of personal devices, but we have done so on request. We follow the same process as above. So, yes, this could be a gap, as most users will not securely wipe or crush their hard drives.”
Gary Bailey, VP of IT at Penn Virginia Corporation, explained that he requires the hard drive on an internal PC being re-commissioned to another employee to be completely reformatted and a brand new install loaded on the device. “The same is true for mobile devices,” he added. “They must be completely wiped and re-installed with all new configuration parameters, software, etc.”
Penn Virginia is not averse to selling on old equipment to outside purchasers. But, he said, “we require a ‘certificate of destruction’, meaning that the local hard drive is either shredded or completely wiped using DOD (Department of Defense) approved software.”
While these companies have close control over the disposal of old equipment, the Blancco study makes it clear that many companies and individuals do not. And even the most thorough of companies might need to re-examine their processes in light of burgeoning BYOD practices.
Perhaps the main lesson to be learned is that not everybody yet understands the difference between secure erase and a simple OS-level delete. Where companies or individuals do not have the technical capacity to properly erase or completely wipe data, there are software applications that can do it for them. If this cannot be done, old devices should be donated to charities or sold to purchasers who will provide that ‘certificate of destruction’.