Critical data found on second-hand hard drives
Organizations and individuals are still leaving critical data on disks later sold on through online auctions and computer fairs, according to a new study.
The research carried out by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia found payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, financial details including bank and credit card accounts on hard drives purchased from a number of sources.
The research, based on more than 300 computer hard drives from U.K., North America, Germany and Australia, showed that while 41 percent of the disks were unreadable, 20 percent contained sufficient information to identify individuals, 5 percent held commercial information on organizations, and 5 percent held "illicit data."
The research revealed that, for a significant proportion of the disks that were examined, the information had not been effectively removed and as a result, both organizations and individuals were exposed to a range of potential crimes. The report's authors said the figures were an "improvement on those from the previous year's research, still show an alarming level of sensitive information being released."
They said that despite an increasing maturity of information security and awareness, increasing regulations and significant publicity, organizations are still not modifying their procedures to ensure that information is effectively removed before computer disks are disposed of.
Dr. Andy Jones, head of security technology research at BT, who led the research said: "So much has been said already about the availability of information disposal tools, increasing legislative pressures and the growing literacy of computer users that it is difficult to explain why there is still such poor cleansing of disks. When organizations dispose of surplus and obsolete computers and hard drives, they must ensure that, whether they are handled by internal resources or through a third party contractor, adequate procedures are in place to destroy any data and also to check that the procedures that are in place are effective."
Dr. Andrew Blyth who leads the research team at the University of Glamorgan commented, "Now in its second year, this research proves that companies and individuals still need to take this issue of the disposal of information stored on hard drives more seriously. Just from looking at this random sample, it is obvious that there are hard drives on public sale that still contain highly confidential material."