Nigel ThorpeTechnical Director
Mistakes humans make with data – Mistake #5: Leaving out unencrypted hard drives
16 Dec, 2020
Be careful what you throw away
Chances are if you search though the average office desk, you will find a collection of old devices such as USB sticks, smartphones, SD cards and external hard drives. But while these may have been replaced, damaged or just finished with, they probably still hold valuable and sensitive business and personal data.
Then there are those computer hard drives. When a PC or laptop comes to the end of its useful life, it is all too easy to leave it lying around or discard it – maybe take it down to the local recycle centre. The problem is that even if you delete the data from the hard drive, it is still there and can easily be picked up by threat actors who are prepared to trawl through electrical appliances in search of sensitive information to exploit.
Many companies and organisations use firms to handle the disposal of old IT equipment. But this does not always go to plan.
For example, German security researchers discovered easily accessible, classified military information on a laptop sold on eBay that had been decommissioned and sent for recycling and to render the storage media unusable. The laptop was bought for €90 and the researchers discovered a series of documents, including instructions on how to destroy an air defence system.
Another security researcher from Rapid7 in the US, purchased 85 devices from businesses that sold refurbished, donated and used computers for about $600, including desktop and laptop computers, flash drives, memory cards, hard disk drives and mobile phones. Of the 85 devices he bought, only two were correctly wiped. Most of the devices still had information on them, including email addresses, dates of birth, Social Security numbers and credit card numbers.
In addition to sloppy or greedy third-party IT asset disposition companies, there is a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber-criminals specifically so they can mine the data they contain for illicit activity.
The only truly secure method of IT asset disposition is in-house drive destruction. Not only does crushing, shredding or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling.
But before you get to this stage, if all data – whether it is on a storage drive, in transit or in use – is always encrypted, even when IT equipment or devices are disposed of, any criminal getting his or her hands on it, is going to be very disappointed.