Here are the details of the study I mentioned in my last post. Conducted in 2009 by the Information Security Research Group at the University of Glamorgan, it revealed what could typically be recovered from second-hand computers.
The research group were sent 300 drives, randomly ordered from various suppliers of used IT equipment.
After analysing these with software developed by AccessData (most likely FTK), the results were very surprising – 34% of the drives still had sensitive data on them, and these were from large organisations in both the private and public sectors. Third-party businesses were paid to dispose of the computers in the understanding the information they contained would be wiped, or so it was claimed. Maybe the disposal firms genuinely believed the disk wiping software was as reliable as we’re led to believe, before they stuck the DATA DESTROYED label on the equipment. It’s a mistake I would have made myself several months ago. Maybe a more thorough examination of the other 66% of the hard drives would give similar results.
Among the information recovered during the research:
– Test data for a ground-to-air missile defence system.
– Details of Lockheed Martin employees.
– NHS information and patient records that should have been confidential.
– Details of financial transactions between large businesses
– Trade secrets belonging to the Ford Motor Company
– Laura Ashley customer records
– Some illegal material, leading to one arrest
Apparently it’s a common view among security professionals that the chances of the drives falling into the hands of someone with the right contacts, and able to find a market for the information, are remote, and therefore there’s little risk. But I disagree. Information is no longer confidential once it’s out there. Organised criminals know that buying used hard drives is a good investment, even if just a couple of them provide information they could use.
At the time, The Guardian claimed phones in Nigeria, where 419 scams traditionally originate, sell for 50% more if they contain personal data. Only a handful of UK phones reach that country, which explains why personalised 419 emails aren’t that common.
The problem’s even worse in the UK, with more people carrying MP3 players, USB drives and netbooks. All of them are portable devices that are easier to steal, buy, sell and circulate. It means a huge increase in the amount of confidential data being carried about and potentially mislaid over the past four years.