For the fourth consecutive year, researchers have found sensitive data about companies and individuals on computers bought on eBay.
Despite media attention given to digital information that remains on used or discarded computer hard drives, companies and individuals worldwide have not yet mastered digital data disposal, according to a study done by an international consortium of researchers.
The researchers recently analyzed hard drives they bought in 2008 from resale and auction sites like eBay. They purchased the hard drives from five countries: the United Kingdom, the United States, Germany, France, and Australia. The analysis revealed that only 36 percent of the functioning disks had been effectively wiped of all data.
The work is part of an ongoing research effort aimed at assessing data that remains on computer hard disks that become available for purchase in the secondhand market. Researchers say little has changed over the course of the project, which has completed its fourth year.
“You would hope over a period of years that we would have started to notice significant improvements,” says Andy Jones, head of information security research at British Telecommunications (BT), who leads the research. But “despite the knowledge improving, despite the tools and techniques [for disposal] improving, we’re pretty much seeing the same things as we saw four years ago,” he says.
Researchers from BT’s Security Research Centre, Edith Cowan University in Western Australia, Longwood University in Virginia, and the University of Glamorgan in the United Kingdom found data from individuals on 37 percent of the disks and commercial data on 46 percent of them.
The report also notes an increase in the number of disks that contain a significant amount of both corporate and personal information, possibly reflecting an increased use of home computers for business purposes or more liberal corporate policies with regard to the personal use of company computers.
Some of the information discovered on the disks, which researchers say was easy to recover with off-the-shelf software, could expose individuals and firms to fraud, identity theft, or blackmail.
The results of the study attracted attention earlier this year when the media reported that the researchers had found details of test launch procedures for the U.S. Army’s Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system among the data on a disk bought on eBay. THAAD is being developed by defense contractor Lockheed Martin.
According to media reports, the same hard disk contained information about security policies and blueprints of the company’s facilities as well as the personal information of employees.
A disk recovered in France contained network and security data from another European country’s embassy in Paris, including internal IP addresses, security logs, and minutes of internal meetings. Another, recovered in Australia, originated from a nursing home and contained patient information.
Many IT and security managers see live computers as assets and obsolete ones as liabilities, notes Jones. As a result, they want old computers out of the organization as soon as possible. The problem is that they don’t think about what’s inside.
“If we have a filing cabinet, we can see that it’s full, feel that it’s full because it weighs a lot,” Jones says, “but as soon as you pull the plug on that computer, unless your asset tracking is very good, you have no idea what’s on it.
In addition, many people don’t know how to properly delete data before decommissioning a system, says Glenn Dardick, associate professor of information systems at Longwood University. “A lot of people think that if they format a hard drive, that when they resell that system, that that data is already gone, and that’s not the case,” Dardick says. “Formatting a drive very rarely will delete the data that’s already on that drive.”
Formatting a disk deletes the file structure, Jones explains, but the files remain untouched. He recommends a data erasure tool like one by Blancco, which is approved by the U.K. government.
Companies also fail to confirm that digital files are erased when they hire third-party contractors to dispose of equipment. Researchers found that companies hadn’t worded disposal contracts properly to ensure that the data was erased.
Many disposal companies fulfilled their contractual requirement by using the ineffective Windows format command. In all the cases investigated by the researchers, the organizations hiring disposal firms assumed that the disposal contracts adequately dealt with residual data, and the client, therefore, never audited the processes used by those contractors.
People who handle company data while working on a freelance or temporary basis from their homes are also an increasing concern. A paralegal who works from home, for example, may have information from an attorney on her personal computer. If she sells her computer without properly disposing of all the data, the lawyer’s information is still on that system.
“You have to know how to manage your subcontractors to maintain the privacy of your data,” Dardick says. The Health Insurance Portability and Accountability Act (HIPAA) addresses this problem for the health services industry in the United States by requiring owners of personal information to have subcontractors sign a form acknowledging that they’re responsible for maintaining data privacy.
The report recommends a range of measures to reduce the level of sensitive information exposed when hard disks are disposed of, including educating users, conducting risk assessments to determine the sensitivity of the information on disks, and developing best practices for handling and disposing of data.
The U.S. Department of Defense and the National Institute of Standards and Technology both provide good guidelines for decommissioning a computer system, the researchers say.