Channel beware: permanent data destruction is harder than it looks

Secure data erasure should be part of public sector security strategies but the channel should beware: permanent data destruction is harder than it looks, says Kroll Ontrack’s Moradeyo Komolafe

The UK Information Commissioner’s Office (ICO) recently published the number of data breaches committed this year. The findings reveal that half were due to carelessness and most of the data breach scandals occurred in sectors that store highly sensitive data.  Local councils and the health sector were the biggest offenders and paid over £4 million worth of fines in 2013. A big worry is that the government body only issues fines for gross negligence which means the public sector had committed serious infringements. In comparison, the amount paid out by private businesses was a mere £600,000.

One of the most notable causes involved NHS Surrey, which was fined £200,000 after it publically leaked the records of 3,000 patients. The loss occurred because the data destruction company in charge of recycling the hospitals’ computers hadn’t properly destroyed the records.  Instead, it unwittingly passed on data, believing that crushing the hard drives of the computers was enough to permanently erase information. 

Any reputable data erasure specialist knows this method of disposal is far from fool proof. Deleted data can often be retrieved from damaged equipment or from formatted or corrupt volumes – even from initialised disks. Kroll Ontrack knows this better than any other firm.  Our most famous data recovery was from a cracked and singed hard drive that fell to Earth in the debris from the Space Shuttle Columbia in 2003! In the case of NHS Surrey, the ICO was alerted to the breach not by a hardened criminal with amazing tech skills, but by a member of the public who had purchased one of the computers and found the data on their desktop.

The public sector outsources the bulk of its IT responsibilities to the channel therefore the channel needs to work with skilled data destruction companies to protect their reputations as well as those of their clients.  Knowing who to trust requires a bit of research in the selection process.  A quick Google search will reveal many companies promising the same results, so channel beware.  Do a background check of the company before choosing the right data destruction partner. Find out if the organisation employs trained engineers and whether they work in a clean room.  Ask for customer case studies. Find out the methods they use to destroy data. 

For example, permanent erasure requires the use of accredited erasure software or a degausser for non-functioning computers. They not only wipe all traces of data but also provide companies with erasure verification reports which are vital for compliance audits. The reports list what has been deleted and identifies the serial number, make and model of the hard drive removed. The date and time of erasure and the amount of information that has been erased is also available. For non-functioning hardware, a degausser ensures all data is permanently irrecoverable.

Some data destruction companies don’t have the technical knowledge to use the correct tools – which explains why they choose to smash a hard drive instead.

The computers belonging to NHS Surrey were compromised the moment they left the hospital, leading to a scandal which will take a while to forget. A clear warning has been sent to all IT managed service providers for the public sector: the channel must take the threat of data breaches seriously or risk damaging their reputations and losing customers.  The only way to protect the bottom line is to find a data destruction company that can guarantee the permanent and professional deletion of files.

Moradeyo Komolafe is engineering services manager at Kroll Ontrack Data Recovery

Read more on Storage Regulatory Compliance Services