Infosec 2012: Unscrubbed hard drives a threat to business, says ICO

Unscrubbed hard drives on computers that are decommissioned and sold on represent a significant risk to business

Unscrubbed hard drives on computers that are decommissioned and sold on represent a significant risk to business, according to the ICO.

An analysis of 200 second-hand hard drives acquired online by forensics firm NCC Group found that half contained personal or corporate data in 34,000 files, 11% of it being personal data.

Analysts found that although some action had been taken in a number of cases, such as deleting drive partitions, this was not enough to ensure that the personal data was unrecoverable.

Upon further ICO examination, it became clear that at least six of the drives contained significant amounts of personal data relating to the main user of the drive or employees and clients of organisations.

"11% may not sound like much, but it is more than enough to compromise individuals and organisations to conduct fraud," Information Commissioner Christopher Graham told attendees of Infosec Europe 2012 taking place in London.

The four identified organisations were contacted by the ICO, he said, for an explanation of how the situation occurred and what measures had been put in place to ensure something similar could not happen again.

An Undertaking was obtained from a private company committing it to improve the security of its drive decommissioning process

Despite the commitments made by the four data controllers, Graham said there is an ongoing concern that other organisations and individuals may be disposing of redundant IT equipment in an insecure manner.

In many cases, he this will be due to a general lack of technical awareness, which is why the ICO has published guidance for individuals and organisation on how to delete data securely.

However, Graham said it was "good news" that 38% of the hard drives had been wiped properly. Some 14% were unreadable and 37% did not contain any personal data.

NCC Group also analysed 20 memory sticks and 10 mobile phones, but said the amount of personal data found was "negligible".

Paul Vlissidis, technical director at NCC Group, said the research will hopefully be a wake-up call for the individuals and organisations who think their responsibility and liability ends with the delete button.

“This isn’t a case of scaremongering, or using sophisticated techniques only available to large organisations. We purposefully used simple, easily sourced forensics processes and tools, to demonstrate that any information we accessed could also easily be stolen by people of criminal intent. It's sobering to think that nearly half of the used devices on the market contain personal information up for grabs," he said.

Vlissidis said there is a huge amount of information being stored that is potentially damaging in the wrong hands. "To protect both personal and corporate data, it’s essential that people become better educated about securely wiping devices," he said.

Ollie Hart, head of public sector UK & Ireland at security firm Sophos said the NCC Group's research once again underlies the need for better education around data protection. 

"It’s hard to believe that we’re still seeing this kind of breach, particularly when you consider that four of the hard drives came from organisations rather than individuals and contained information about employees and clients, including health and financial details," said Hart.

Read more on Hackers and cybercrime prevention

Data Center
Data Management