During a computer upgrade or computer replacement, many are tempted to toss the old hard drive on the curbside, sell them on eBay or else donate them to a local school or charity group. But if the data contained on those old drives has not been properly erased before discarding, it might be safer to smash them with a hammer.
If proper steps are not taken to sanitize the data on the hard drives, the data could end up in the wrong hands and lead to numerous damaging events including industrial espionage, cyber attack, identity theft, embarrassing leaks of information [think Wikileaks] or else contravention of sensitive data laws such as patient privacy or stock exchange disclosures.
There have been numerous studies by University IT departments whereby they buy discarded hard drives online, pick them from the trash or else find them up at garage sales or used computer stores. These drives are then examined using computer forensic tools to ascertain what data is still contained on these old hard drives.
The results in the past have been startling. Old files located on the hard drives have included credit card information, personal medical details, business plans with trade secrets, personal finance calculations and business emails. One hard drive was found to have been taken from a bank ATM and contained details of thousands of banking transaction!
A notable pioneer of this process has been Simson Garfinkel, a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University. Garfinkel, a computer forensic expert, has been obtaining old hard drives since 1998 and examining them for residual information since 1998.
Garfinkel has followed up by contacting some of the organisations and inquiring as to how their data came to be left on these discarded hard drives. One organisation revealed that they had a upgraded some hundreds of computers and had let go of the old drives to be sold as spare parts. They had mistakenly assumed / presumed that the contractor would take steps to sanitize the data for them.
Another issue has been that employees weren’t properly trained or directed in data destruction techniques. Therefore, the employees overseeing the disposal of hard drives had no guide lines as how to act or steps to take to completely delete the data held on the old hard drive. The disposal of hard drive issue is just one example of why organizations need to formalize and audit their security controls. Organizations need to understand these issues and track their data flows from beginning to end so as to preserve their security.
Data protection and security can be enhanced by following these useful tips:
- Have the IT and Security departments formulate a suitable approach to data handling and data destruction
- Incorporate these steps and approaches in a set of guidelines and instructions for all IT personnel and other employees to adhere to
- Set up an audit trail tracking all hardware containing data as well as data moving across network boundaries
- Make the general employees and management aware of data protection and the issue of leaks – apply this to mobile devices including laptops, iPhones and smart phones
- Regularly review these guidelines and instructions along with spot checks to ensure that they are being understood and followed
Do you need to know more about our services and how Regents can assist you with preventing information loss and securing your computer network? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.