by Davey Winder on April 25th, 2019 via Forbes
Sensitive data has been found on 42% of hard drives purchased on eBay and analyzed by Ontrack for a Blancco Technology Group report published today. The storage drives were purchased from eBay in the U.S., U.K., Germany and Finland. As well as the sensitive data, researchers also found personally identifiable information (PII) on 15% of the forensically analyzed drives.
What data was found?
Every eBay seller that the researchers interacted with insisted that proper data sanitization methods had been used to ensure no data was left on the drives before being offered for sale. The sheer breadth of information that was recovered from these drives, however, suggests otherwise. One drive belonged to a software developer “with a high level of government security clearance” that still contained scanned images of family passports and birth certificates along with financial records. Other drives were found to have 5GB of archived internal office email from a major travel company, 3GB of data from a freight company including documents that detailed shipping schedules and truck registrations, university student papers and associated email addresses and school data that was comprised of photos and documents with pupil names and grades.
How much of a real-world problem is this?
“Selling old hardware via an online marketplace might feel like a good option” Fredrik Forslund, vice-president of cloud and data erasure at Blancco, says, “but in reality it creates a serious risk of exposing dangerous levels of personal data.” This risk is increased when the organizations disposing of these drives, and the companies selling them on eBay, are under the impression that all data has been securely erased as part of the hardware decommissioning process. “The reality is that physically collecting hard drives as a method of stealing valuable data doesn’t scale very well” Tim Erlin, vice-president of product management and strategy at Tripwire, insists, “it’s difficult to target specific data and you only get what’s on each drive, which might be nothing.” For sure, there are more effective means of making a buck as far as data thieves are concerned. But as Erline rightly warns “that might lower the concern, but it shouldn’t eliminate it.” Which means that every organization should have a plan for disposing of used drives.
Data destruction best practice
Historically, the best practice as far as wiping drives to preclude data leakage involved forensic tools that used high-powered magnets. However, that is of little use when Solid State Drives (SSDs) are involved as they employ integrated circuit assemblies as memory. “Since SSDs don’t store data in magnetic form and rewriting blocks of data can shorten the lifespan of some SSDs” says Tim Mackey, senior technical evangelist at Synopsys, who continues, “new processes to protect data prior to disposal are required.” If sensitive data might be stored on the drive, Mackey suggests that in order to ensure certainty data cannot be recovered, physically destroying, or shredding, the drive is the answer. Indeed, many large organizations already have such media destruction programs in place whether the device in question is of the spinning metal or SSD variety. If this is the case, then how are drives still ending up on eBay with corporate data intact? Large organizations only make up a portion of the market is the simple answer. “For many medium and small organizations there’s real value in recapturing dollars by disposing of old equipment in a lucrative way” Erlin points out. And, of course, not all secure media destruction programs are created equal with process not necessarily being followed to the letter. “If the drive is slated for destruction, it’s important to obtain proof of destruction” Mackey says, concluding, “after all, if it’s important enough to be destroyed then it’s worth the effort of confirming that destruction.”