How would you feel if one of your old computers showed up on eBay or at a computer fair, complete with your private and sensitive information still on it? According to new research in three continents, the situation occurs more often than most of us like to think.
Researchers from the University of Glamorgan and BT Group plc's Security Research Centre analysed 300 hard drives bought from online auctions and computer fairs in the U.K., U.S., Germany, France and Australia, and then analysed the contents.
In an interview with the BBC, professor Andrew Blyth of Glamorgan said that "between 35-40 % of the disks held commercially sensitive information." The hard drive data included NHS patient information, intellectual property, and in the case of one machine bought in the U.S., launch codes for a missile system.
Many organisations use outside service providers to handle the process of disposal and hard drive data destruction, but they are not always absolutely reliable, as the BT study discovered. For instance, two of the disks were found to hold data from hospitals in Lanarkshire. According to the Lanarkshire Health Board, the disks should have been properly wiped by an outside service provider for disposal. After reviewing procedures, the hospital now handles the process in-house.
So what steps should companies take to ensure hard drive data is secure? Is there no alternative to using a hammer to smash the drive?
"If you have proper data classification in place, and you encrypt all sensitive data, then it will be much harder for anyone to read the information," said Michael Cobb, managing director of Cobweb Applications Ltd, a consultancy. "That certainly applies for laptops and smartphones, which may get lost or stolen. And with desktop machines being renewed so often, you need to make sure the confidential data they hold is automatically encrypted as well."
Graham Cluley, senior technology consultant at antivirus and encryption provider Sophos Plc agrees: "If your data is securely encrypted in the first place, then you don't need either a hammer or secure erasure tools. So long as the encryption keys are wiped securely, then the whole hard drive should be gobbledygook."
Richard Moulds, vice president at service company Thales Group, also favours encryption, but warns that companies should ensure every copy of the encryption key that was ever made -- for example, for back up purposes -- has also been destroyed. That level of control, he said, requires "strong key management systems which prevent unauthorized access to keys or fraudulent creation of copies or bogus keys -- all in an auditable way. "
Cobb makes the point that security measures need to be in proportion to the value of the hard drive data. "When it comes to disposing of computers and hard drives, I always recommend doing a full wipe of the hard drive, and then if it has had sensitive information on it, destroying the hard drive," he said. "In most cases the data will not be so valuable that it's worth trying to read it off a shard of smashed disk. But if you are dealing with very sensitive data, then you may need to grind the surface of the disk platters and melt them. But for most people, a proper data wipe will be sufficient, and then smash it with a hammer."
Robert Winter, chief engineer of data recovery at security firm Kroll Ontrack Inc., takes a similar approach, suggesting using software to erase data, or carry out repeated over-writing and defragmentation. He also recommends using a device called a degausser, which scrambles the data by using electromagnetic pulses to make the drive unreadable.
Graham Cluley favours the software approach, pointing out that using hammers can be hard work and potentially dangerous. "Firms and individuals should run military-grade secure erasure tools if they're scrapping their hard drives or planning on selling old computer equipment. Such software can overwrite not just the files on your hard drive, but every single area -- including the slack space where old 'deleted' files might lurk. And they can do it multiple times, with random characters, ensuring there is no residual magnetic echo of the data that was once on the drive still discernible."
He admits that some hard drive data destruction tools are better than others, but insists that "choosing a data wiping solution carefully is better than trying to crack a nut with a sledgehammer."
And Michael Cobb offers this advice: "The key thing when choosing erasure software is to understand that wiping a drive is not the same thing as wiping individual files. You need a program that will obliterate not only the data on the drive, by overwriting it with various values, but it should also obliterate the drive's formatting and partitioning in the same way."
Small to medium sized companies should also take more care, said Ben Rexworthy, managing director of Securinet UK Ltd., a consultancy specializing in the SME market. "In the Hacker's Forum at this year's [Information Security Europe] exhibition, a panelist considered that SMEs were one of the groups most at risk of data fraud and theft such as can happen through poor machine disposal."
He advises SMEs using his data-destruction service to put their disks through three overwriting passes using software authorised by the U.S. government, specifically the DOD5220.22-M standard, which he said is widely available on a range of software.
More about hard drive data destruction
- Creating data destruction policies to protect sensitive company data
- Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser
- How to destroy data on a hard drive to comply with HIPAA regulations
- Data deletion or data destruction?