No business should expose a single asset that hasn’t had a data wipe performed on it, according to an Info-Tech Research Group Ltd. analyst.
The warning comes after a group of University of British Columbia journalism students uncovered a data drive containing information about a multi-million dollar U.S Department of Homeland Security defence contract in a recent trip to Ghana. The B.C. students, who were visiting the African country as part of a study about electronic waste, paid about $40 for the second-hand hard drive.
The discarded hard drive included information about hiring and personnel contracts of a variety of U.S. defence organizations — including information about private military contractor Northrop Grumman Corp. — as well as credit card numbers and personal photos, according to published reports citing the students.
“From what it looked like, (the drive) hadn’t even been deleted,” said London, Ont.-based Info-Tech security analyst James Quin. “The first step is deleting, the second step is formatting, the third step is overwriting and the fourth step is destruction. It looks like they hadn’t even done Step 1 for a situation where Step 3 is definitely required and Step 4 might have been a better option.”
Very few organizations, he said, have the policies in place for media sanitization and disposal. For the average organization, looking into data wiping packages should be the minimum standard.
“Data or disk wiping software goes through and overwrites all of the material that already exists on the disk,” he said. “It may overwrite it with nothing but ones or zeros, but the purpose is it goes through and it replaces the data with jargon.”
Quin admitted that highly sophisticated criminals might still be able to recover data after this process is performed, especially if the information has been stored on the disk for an extended period of time.
“But at that point it comes down to risk versus reward for the criminals,” he said. “The cost is so high for the bad guys to try and recover the information it’s probably not going to be worth their time.”
For the most sensitive corporate data, Quin recommended tools that do multiple passes of disk wiping. “Beyond that, the only other option is hardcore, physical destruction.”
According to a recent study sponsored by British Telecommunications Group and Sims Lifecycle Services and researched by Wales’ University of Glamorgan, America’s Longwood University and Australia’s Edith Cowan University, about a third of disused hard drives still contain confidential data. The researchers also found missile defence system data and media records on Ebay Inc. purchases and dug up secret data from the German Embassy in Paris.
“It is clear from the sensitive information revealed by this study that a wide range of organizations, businesses and individuals all over the world are fundamentally failing in their duty to properly manage sensitive data when their IT equipment passes outside of their control,” said Kumar Radhakrishnan, senior vice-president of the Asian-Pacific region at Sims Recycling Solutions, a division of Sims Group Ltd.
For Quin, companies have to be cautious even when donating used technology to charity as the equipment could be of little use to the organization, which might even sell it off to another recycling company. “Donating or recycling is a positive thing to do, but once that asset has moved out of your location, it’s out of your possession for good.”
Enterprises will want to look at the track record of the recycling providers they choose, including the service level agreements they offer, how they carry out the data elimination and whether or not they have gone through a SAS 70 audit, he said.
Ultimately though, if companies were concerned with having the right policies in place to truly wipe out their data, they won’t have to be worried about where the old equipment might be headed, Quin said.
– With files from IDG News Wire, Kathryn Edwards (Computerworld Australia)