Sensitive Information Still On Secondhand HDDs
Sensitive Information Still On Secondhand HDDs
August 10th, 2006: Australia's Edith Cowan University in concert with the University of Glamorgan in Wales, has released its second report into the disposal of hard disk storage. And it makes ugly reading.
The research, which was carried out with support from the UK's BT Exact, used 317 pre-owned hard drives purchased from Australia, the UK, North America and Germany. Although 41% could no longer be read, 20% held the kind of data that could be used for idenity fraud. And 5% held business-sensitive information and, according to a report in the UK's Guardian newspaper, data relating to a childcare centre.
These statistics are actually an improvement on the previous year's, but still highlight the fact that data on the most common mass data storage format, the humble hard disk, are simply not being efficiently erased before being placed on sale.
Dr Andy Jones, Head of Security Technology Research at BT, who led the research said: "So much has been said already about the availability of information disposal tools, increasing legislative pressures and the growing literacy of computer users that it is difficult to explain why there is still such poor cleansing of disks.
"When organisations dispose of surplus and obsolete computers and hard drives, they must ensure that, whether they are handled by internal resources or through a third party contractor, adequate procedures are in place to destroy any data and also to check that the procedures that are in place are effective."
Not only does this represent potentially massive commercial and personal security issues, it is also illustrative of flawed policy at a basic level of what our market sees as Information Lifecycle Management (ILM).
The fact that these improperly treated HDDs contained readable data also highlights problems with the approach to data integrity. High-quality data encryption is widely available today both commercially and in the form of Open Source or freeware. Encrypting data on-disk does at least serve as second-level defence in the event that storage is not correctly sanitised before resale.