Channel beware: permanent data destruction is harder than it looks

Secure data erasure should be part of public sector security strategies but the channel should beware: permanent data destruction is harder than it looks, says Kroll Ontrack’s Moradeyo Komolafe

The UK Information Commissioner’s Office (ICO) recently published the number of data breaches committed this year. The findings reveal that half were due to carelessness and most of the data breach scandals occurred in sectors that store highly sensitive data.  Local councils and the health sector were the biggest offenders and paid over £4 million worth of fines in 2013. A big worry is that the government body only issues fines for gross negligence which means the public sector had committed serious infringements. In comparison, the amount paid out by private businesses was a mere £600,000.

One of the most notable causes involved NHS Surrey, which was fined £200,000 after it publically leaked the records of 3,000 patients. The loss occurred because the data destruction company in charge of recycling the hospitals’ computers hadn’t properly destroyed the records.  Instead, it unwittingly passed on data, believing that crushing the hard drives of the computers was enough to permanently erase information. 

Any reputable data erasure specialist knows this method of disposal is far from fool proof. Deleted data can often be retrieved from damaged equipment or from formatted or corrupt volumes – even from initialised disks. Kroll Ontrack knows this better than any other firm.  Our most famous data recovery was from a cracked and singed hard drive that fell to Earth in the debris from the Space Shuttle Columbia in 2003! In the case of NHS Surrey, the ICO was alerted to the breach not by a hardened criminal with amazing tech skills, but by a member of the public who had purchased one of the computers and found the data on their desktop.

The public sector outsources the bulk of its IT responsibilities to the channel therefore the channel needs to work with skilled data destruction companies to protect their reputations as well as those of their clients.  Knowing who to trust requires a bit of research in the selection process.  A quick Google search will reveal many companies promising the same results, so channel beware.  Do a background check of the company before choosing the right data destruction partner. Find out if the organisation employs trained engineers and whether they work in a clean room.  Ask for customer case studies. Find out the methods they use to destroy data. 

For example, permanent erasure requires the use of accredited erasure software or a degausser for non-functioning computers. They not only wipe all traces of data but also provide companies with erasure verification reports which are vital for compliance audits. The reports list what has been deleted and identifies the serial number, make and model of the hard drive removed. The date and time of erasure and the amount of information that has been erased is also available. For non-functioning hardware, a degausser ensures all data is permanently irrecoverable.

Some data destruction companies don’t have the technical knowledge to use the correct tools – which explains why they choose to smash a hard drive instead.

The computers belonging to NHS Surrey were compromised the moment they left the hospital, leading to a scandal which will take a while to forget. A clear warning has been sent to all IT managed service providers for the public sector: the channel must take the threat of data breaches seriously or risk damaging their reputations and losing customers.  The only way to protect the bottom line is to find a data destruction company that can guarantee the permanent and professional deletion of files.


Moradeyo Komolafe is engineering services manager at Kroll Ontrack Data Recovery

This was last published in September 2013

MicroScope+

Content

Find more MicroScope+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Excellent article. I spend a great deal of time explaining that the ICO monetary penalties are generally not to punish the breach but the lack of controls in place. The other side of the coin is the paranoid IT managers who request hard drive destruction when this is not necessary. ADISA accredited ITADs can advise the most suitable method of data eradication.
Cancel

-ADS BY GOOGLE

ComputerWeekly

SearchITChannel

Close