Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Corporate Data Lingering on Old Drives: Advice From The Professionals

Hard Drives Contain Corporate Data

Hard Drives Contain Corporate Data

A 2012 “investigation commissioned by the [UK’s Information Commissioner] found that one in ten second-hand hard drives sold online contained personal information.” A new investigation published this week by Blancco Technology Group suggests that 78% of second-hand drives purchased from eBay and Craigslist now contain recoverable corporate or personal information. It seems that we are not improving our security awareness.

Blancco’s study involved the purchase and examination of 200 drives, both hard disk (around 93%) and solid state (around 8%), from eBay and Craigslist during the first quarter of 2016. While in many cases (but not all) data had been ‘deleted’, Blancco was able to recover data from 78% of the drives. It had been deleted under the operating system rather than securely erased from the drive. This data included company and personal emails, CRM records and spreadsheets.

The ability to recover data from used drives poses three separate threats. Sensitive corporate data can threaten both corporate reputation and corporate IP. Sensitive personal information can lead to identity theft and serious financial issues for the people concerned. But it can also put the company in jeopardy of both federal and state privacy laws — and of course the upcoming European General Data Protection Regulation (GDPR).

“It’s the responsibility of the original user or owner to properly sanitize their equipment before it’s traded in, resold, donated or discarded,” concludes the report. “If individuals simply rely on others to take care of protecting their data, that’s just irresponsible… and can cause serious financial, legal and reputational damage.”

SecurityWeek approached a number of CIOs and chief security officers in major US companies to see how they handle the problem. One, who wishes to remain anonymous, commented, “We either securely wipe hard drives before any redeployment, and then reinstall a base OS; or we physically destroy the drives with a crusher.” He goes further and actually melts the crushed drives to recover any useful metals.

This company does not generally sell old PCs (other than occasionally to staff, or as donations to charities), nor does it sell on to equipment resellers. “The cost of shipping generally wipes out any profit, and not doing so further limits our exposure.”

Asked about personal devices, with BYOD in mind, he said, “We do not generally dispose of personal devices, but we have done so on request. We follow the same process as above. So, yes, this could be a gap, as most users will not securely wipe or crush their hard drives.”

Gary Bailey, VP of IT at Penn Virginia Corporation, explained that he requires the hard drive on an internal PC being re-commissioned to another employee to be completely reformatted and a brand new install loaded on the device. “The same is true for mobile devices,” he added. “They must be completely wiped and re-installed with all new configuration parameters, software, etc.”

Advertisement. Scroll to continue reading.

Penn Virginia is not averse to selling on old equipment to outside purchasers. But, he said, “we require a ‘certificate of destruction’, meaning that the local hard drive is either shredded or completely wiped using DOD (Department of Defense) approved software.”

While these companies have close control over the disposal of old equipment, the Blancco study makes it clear that many companies and individuals do not. And even the most thorough of companies might need to re-examine their processes in light of burgeoning BYOD practices.

Perhaps the main lesson to be learned is that not everybody yet understands the difference between secure erase and a simple OS-level delete. Where companies or individuals do not have the technical capacity to properly erase or completely wipe data, there are software applications that can do it for them. If this cannot be done, old devices should be donated to charities or sold to purchasers who will provide that ‘certificate of destruction’.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.