SSD security challenges: Which data sanitization methods are effective?

In recent years, a growing number of data breaches have resulted from the improper data removal and insecure storage of drives. Organizations face a myriad of internal and external challenges with preventing sensitive personal and corporate information from being accessed or breached from solid state drives (SSDs), according to the Blancco Technology Group.

According to over 300 IT professionals surveyed in the United States, Canada, Mexico, United Kingdom, France, Germany, India, Japan and China, 62 percent of organizations believe encryption is sufficient to protect data from being accessed or breached. On top of this, 70 percent said they rely on encryption to prevent data loss/theft from SSDs and 35 percent reformat the drives.

Moreover, when IT assets containing SSDs hit their end-of-life and are ready to be disposed of, recycled or resold, over half (56 percent) of organizations either send them to IT asset disposition vendors/recyclers to erase the data or outsource the task to an IT security consultant.

Key findings

SSDs contain a myriad of sensitive personal and business information. 47 percent of organizations store both personal information (from employees) and business data on SSDs

Loss/theft of drives and employees leaking data for personal gain rank low on the list of SSD security challenges. Loss or theft of hard drives (8 percent) and employees leaking data for monetary gains/personal benefits (5 percent) were at the bottom of SSD security challenges for organizations.

Organizations prioritize efficiency and cost over data security when selecting IT asset disposition vendors/recyclers. 49 percent of organizations consider efficiency and cost to be the most important factors when selecting an IT asset disposition vendor. Yet, only 16 percent factor in the vendor’s ability to permanently remove all data and 13 percent prioritize certifications and recommendations from governing bodies and institutions into their decision-making process.

Although confidence in SSD security practices is high, monitoring of ITAD vendors/recyclers is a low priority. Although 89 percent of the survey’s respondents are either ‘very confident’ or ‘confident’ that data cannot be accessed or breached after SSDs have been discarded, recycled or resold, 27 percent admitted they don’t have any formal process for monitoring how ITAD vendors/recyclers erase data from SSDs.

Why protecting data on SSDs is critical

“Our study’s findings underscore the difficulty many organizations face with managing, storing and protecting data on SSDs and are symptomatic of a larger data security problem,” said Richard Stiennon, Chief Strategy Officer of Blancco Technology Group. “Many organizations and individuals place a great deal of their trust and reliance in encryption and reformatting to prevent data loss/theft from SSDs and minimize their exposure to a potential data breach. But there are certain data security challenges with encryption that are often overlooked when it comes to protecting data stored on SSDs. And we know from our own analysis of 200 used drives purchased from eBay and Craigslist that reformatting of SSDs could result in various types and amounts of personal and corporate information being left exposed and recovered. Organizations cannot afford to be lax in how they manage and erase SSDs – or they could find themselves hit by a data breach.”

One such example is the recent data breach that hit health insurer Centene. In January 2016, the health insurer lost six hard drives that were part of a data project using laboratory results to improve the health outcomes of members. The missing drives contained the health information for 950,000 beneficiaries and included individuals’ names, dates of birth, social security numbers and member ID numbers.