Discarded hard drives can be dangerous

During a computer upgrade, some may be tempted to toss old hard drives on the curbside or sell them on eBay. But it might be better to smash them with a baseball bat. Otherwise, computer forensics expert Simson L. Garfinkel warns, sensitive data within those hard drives could someday end up in the wrong hands.

When retiring a hard drive, physical destruction makes information inaccessible. Simson L. Garfinkel, researcher Harvard University Department of Computer Science

Garfinkel, a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University, touted the importance of proper hard drive disposal at the MIS Training Institute's Annual Conference and Expo on Control and Audit of Information Technology in Boston last week.

"When retiring a hard drive, physical destruction makes information inaccessible," he said.

But after an extensive investigation, he has found that a lot of old hard drives are being proliferated with reams of sensitive information intact. Many are repurposed or sold, and some end up on eBay. One company had a 300-machine upgrade and needed to unload the old hard drives, Garfinkel said. They were sold for spare parts.

"Since 1998, I have purchased 1,000-plus hard drives on the secondary market and had them delivered by FedEx," Garfinkel said.

Garfinkel and fellow researcher Abhi Shelat conducted some earlier research on the scope of the problem when they collected 158 hard drives from online auction services, swap meets and used computer equipment shops.

Hard drive security risk: Where hard drives go to die, or do they? The pros and cons of data wiping How to properly protect and retain data Disposing of IT assets the right way How to protect personal data

They rummaged through the old machinery and found thousands of credit-card numbers, financial records, medical information, trade secrets and other highly personal information.

"You name it, we found it," Garfinkel said.

He then contacted 20 organizations to ask them why he was able to obtain their data. According to the feedback he received, the biggest problem was that that the organizations trusted others to properly dispose of the drives. Instead, they were sent to various places with the data intact. One auto dealership, for example, hired a consultant to update its computers and assumed the old machines were destroyed. Instead, the contractor sold the pieces on eBay.

A second problem is that employees weren't properly trained in data destruction techniques. As a result, sensitive data kept by a California electronics manufacturer, a supermarket credit card processing terminal and a Chicago bank's ATM machine made it out into the world.

In some cases, he found that the affected parties simply didn't care. Two examples were a bankrupt Internet software developer and a computer magazine that had gone through layoffs. "There just wasn't a concern," Garfinkel said. "They weren't paying attention."

The hard drive problem is just one example of why organizations need to audit their security controls, Garfinkel said. In fact, his larger presentation at the MIS confab was on the value of forensics and self-auditing.

He said companies can use forensics to "understand what's actually going on" over their network and test the effectiveness of application performance and security. It can also be used to review regulatory compliance efforts and track the flow of data across network boundaries.

And, of course, it could be used to track old hard drives and see if they've been properly disposed.