Nigel ThorpeTechnical Director
Mistakes humans make with data – mistake #5: unencrypted hard drives
16 Dec, 2020 3 min read
This is Part 5/5 of the "Mistakes humans make with Data" series.
Be careful what you throw away
Chances are if you search through the average office desk, you will find a collection of old devices such as USB sticks, smartphones, SD cards and external hard drives. But while these may have been replaced, damaged or just finished with, they probably still hold valuable and sensitive business and personal data.
Then there are those computer hard drives. When a PC or laptop comes to the end of its useful life, it is all too easy to leave it lying around or discard it – maybe take it down to the local recycling centre. The problem is that even if you delete the data from the hard drive, it is still there and can easily be picked up by threat actors who are prepared to trawl through electrical appliances in search of sensitive information to exploit.
Dangers of disposing of your IT equipment without wiping out the Data
Many companies and organisations use firms to handle the disposal of old IT equipment. But this does not always go to plan.
For example, German security researchers discovered easily accessible, classified military information on a laptop sold on eBay that had been decommissioned and sent for recycling to render the storage media unusable. The laptop was bought for €90 and the researchers discovered a series of documents, including instructions on how to destroy an air defence system.
Another security researcher from Rapid7 in the US purchased 85 devices from businesses that sold refurbished, donated and used computers for about $600, including desktop and laptop computers, flash drives, memory cards, hard disk drives and mobile phones. Of the 85 devices he bought, only two were correctly wiped. Most of the devices still had information on them, including email addresses, dates of birth, Social Security numbers and credit card numbers.
Think about it - if Data is always encrypted, there is nothing the cybercriminals can do with it
In addition to sloppy or greedy third-party IT asset disposition companies, there is a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber-criminals specifically so they can mine the data they contain for illicit activity.
The only truly secure method of IT asset disposition is in-house drive destruction. Not only does crushing, shredding or disintegration ensure data privacy and security, but it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metal recycling.
But before you get to this stage, if all data – whether it is on a storage drive, in transit or in use – is always encrypted using file encryption software, even when IT equipment or devices are disposed of, any criminal getting his or her hands on it, is going to be very disappointed.
If you are interested in reading the rest of the "Mistakes humans make with Data" series: