When it comes to securing your private data it is essential that you consider the hardware it is stored on. That means thinking about physical security as well as data protection and having a backup policy in place.
But there is also another consideration and it seems many people fail at this final hurdle: when disposing of old hardware it is vital that you destroy the data stored on it. That goes for optical media, USB drives, hard drives and any other type of storage that you or your organisation have used.
Alas, a couple of high profile news stories over the last week have highlighted how improper disposal of data can put it at risk.
On Friday I wrote about James Howells, who happens to be an IT consultant by the way, who threw out an old hard drive that contained the private keys for his $7.5m Bitcoin fortune. Not only did he have no backup for his keys, he also failed to wipe the drive before chucking it out.
Now, a landfill site in Newport, Wales, has £4.6m of virtual currency sitting beneath several feet of rotting household waste. I wouldn’t condone trawling through the tip looking for it – you wouldn’t be allowed to anyway – but it does show how valuable data can be discarded far too easily, especially as anyone who happened to find the drive could use the private keys and claim the virtual cash for themselves.
But its not only IT consultants who don’t take good enough care of their ‘unwanted’ data – private individuals and governments often fail in this regard too.
I read this morning that Australians are taking big risks with their private data too. An upcoming cybersecurity conference in Perth, Australia, will hear a research paper that reveals how Aussies are putting themselves at risk of identity theft and other cyber crimes by discarding confidential material on USB sticks.
The paper’s authors, Patryk Szewczyk and Krishnun Sansurooah, of the Security Research Institute at Perth’s Edith Cowan University, will warn eBay users that they are swapping small amounts of money for extremely valuable data when they sell their old storage devices on the popular auction site.
Their study concluded that,
“The results show that sellers are sending memory cards with no evidence of erasure, poor attempts to erase data — or simply asking the buyer to erase the data prior to use.
The data recovered is not only of a personal nature, but also appears to originate from Australian government departments and business.”
Over the course of a year the researchers purchased 140 secondhand memory cards and analysed any data on them that was recoverable. In many instances they discovered that the sellers hadn’t even bothered deleting their own data before posting them. Some 20% of the analysed memory sticks contained ‘graphic’ images.
In other studies the duo also discovered that memory sticks were being sold despite containing government data.
Szewczyk and Sansurooah seem to place responsibility for securely deleting the data from such devices at eBay’s door, saying that the auction site should issue some sort of warning when sellers try to list such items:
“It is evident that actions must be taken by second hand auction sites, and the media to raise awareness and educate end-users on how to dispose of data in an appropriate manner.”
Whilst I agree that such warnings may help, I can’t help but think that responsible disposal of devices containing any kind of personal information whatsoever should lie primarily with the owner.
Whilst I can almost understand why a home user may sell a USB stick with some holiday snaps on it, I cannot help but think that IT consultants and business and government users should know better.
It seems that more security awareness is probably needed in the case of the former, whilst the latter probably need far harsher words to be aimed in their direction. Sack ’em all I say.