Sensitive information can still be found on second hand disks
BT, the University of Glamorgan in Wales and Edith Cowan University in Australia today issued a report based on research to determine whether second hand computer disks that were purchased from a number of sources still contained any information or whether the information had been effectively erased. This is the 2nd year running such research has been conducted(1). The report concludes that a large number of the disks examined still contained significant volumes of sensitive information.
The research has revealed that the results, whilst an improvement on those from the previous year’s research, still show an alarming level of sensitive information being released and states that despite an increasing maturity of information security and awareness, increasing regulations and significant publicity, organisations are still not modifying their procedures to ensure that information is effectively removed before computer disks are disposed of.
Over three hundred disks were obtained from the UK, Australia, North America and Germany, purchased at computer auctions, computer fairs or online in the respective geographic areas. Some of the information contained on the disks included payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, financial details including bank and credit card accounts.
Dr Andy Jones, Head of Security Technology Research at BT, who led the research said: “So much has been said already about the availability of information disposal tools, increasing legislative pressures and the growing literacy of computer users that it is difficult to explain why there is still such poor cleansing of disks. When organisations dispose of surplus and obsolete computers and hard drives, they must ensure that, whether they are handled by internal resources or through a third party contractor, adequate procedures are in place to destroy any data and also to check that the procedures that are in place are effective.”
Dr Andrew Blyth who leads the research team at the University of Glamorgan commented, “Now in its second year, this research proves that companies and individuals still need to take this issue of the disposal of information stored on hard drives more seriously. Just from looking at this random sample, it is obvious that there are hard drives on public sale that still contain highly confidential material.”
The research revealed that, for a significant proportion of the disks that were examined, the information had not been effectively removed and as a result, both organisations and individuals were exposed to a range of potential crimes. These organisations had also failed to meet their statutory, regulatory and legal obligations.
(1) An Analysis of Information Remaining on Disks Offered For Sale On The Second Hand Market, Dr Andy Jones, Dr. Craig Valli, Dr. Iain Sutherland, Mrs Paula Thomas.