[ISN] Old hard drives still full of sensitive data

From: InfoSec News (alerts@private)
Date: Mon Sep 24 2007 - 22:15:16 PDT


By John E. Dunn
21 September 2007

Hard drives full of confidential data are still turning up on the 
second-hand market, researchers have reported.

Investigations carried out on behalf of BT by the University of 
Glamorgan in the UK, Edith Cowan University in Australia, and Longwood 
University in the US, found that thirty-seven percent of drives surveyed 
had traces of personal data on them.

Damningly, this figure is much the same as it was for the same surveys 
undertaken by the universities in each of the last two years, suggesting 
that either companies are ignoring the issue or simply lack the tools to 
adequately wipe data before resale.

Sensitive information retrieved included salary details, financial data 
of specific companies, credit card numbers, medical data, visa 
applications, details of online purchases, and inevitably, online 
pornography. The sample totalled 350 hard drives acquired in online 

Given the level of exposure that the subjects of security and identity 
theft has received in recent times, and the availability of suitable 
tools to ensure the safe disposal of information, it is difficult to 
understand why disks are still not being effectively cleaned before they 
are disposed off, said BTs security research head, Dr Andy Jones.

When organisations dispose off surplus and obsolete computers and hard 
disks, they must ensure that adequate procedures are in place to destroy 
any data and also to check that the procedures that are in place are 
effective - whether they are handled by internal resources or through a 
third party contractor, he said.

The full report which has yet to be made publically available - reveals 
that buying second-hand disks is an unreliable way to get hold of 
storage. Of the 133 disks bought in the UK, 44 percent of them didnt 
even work. But of those that did, 19 percent had enough information on 
them to identify the organisation from which they had come, sixty-five 
percent had enough data to identify named people, and 17 percent 
contained illicit data.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Mon Sep 24 2007 - 22:31:15 PDT