Used hard drives are ID theft paradise

14-11-2007

by Ciara O'Brien

Irish people may have improved their record on recycling electronic waste, but it seems security concerns have fallen by the wayside.

According to a study conducted by security firm Rits Information Security, personal information including credit card numbers, customer data and client files is being left on hard drives that are being sold into the second-hand market.

The drives examined by Rits were sourced openly on the internet and online auctions. The survey looked at the information remaining on the disks, unveiling some alarming results. In one case, some 300 credit card numbers from an organisation involved in fundraising for a large charity event were present on one disk, while customer data from a major Irish bank was found on another.

Other data found on the drives included client files from insurance brokers and mobile phone firms, and electrical design data for academic institutions and civic offices.

Aside from obligations to Data Protection legislation, the data is a relative goldmine for potential fraudsters who could use the details for identity theft.

Rits also uncovered other data that could also be worrying for business -- pornographic images were found on almost half of the drives, mostly from those used in the corporate sector. Many companies have acceptable internet usage policies in place that would prohibit viewing such images, while firms must also be aware that they bear a certain amount of responsibility for what their employees get up to while using their infrastructure.

Even when attempts had been made to erase the drives, they had not been erased securely, allowing Rits to recover some of the data. A quarter of the drives held detailed credit card information, while more than half had confidential personal details including names, addresses, bank details and PPS numbers. In one instance, case data from an employment law firm was recovered.

The security firm warned that businesses should consider effective overwriting of media before reselling or disposing of the drives, in order to fulfil Data Protection obligations. However, it seems clear that some computer users are still relying on the "delete" button or simple formats to wipe data, which only makes the data slightly more difficult to access instead of destroying it completely.

"Most people are not aware of the implications of pressing delete, doing a simple format or overwrite of the operating system," said Vivienne Mee, Rits Security, speaking with ENN. "Home users in particular aren't aware, but large organisations should be. The study did show that neither are using methods to securely dispose of information."

Mee pointed out that previous studies have indicated that this is not just an Irish problem, but is a global issue.

For home users, Mee advised that there are plenty of tools available on the internet to erase data; although they would not be 100 percent effective, they would be more than adequate for home use. Large organisations, on the other hand, should have a more structured and effective method in place, which can include services that overwrite data between three and ten times up to 35 times to dispose of sensitive information.

Failures to do so could leave firms open to action under Data Protection legislation. "They are in breach of legislation," said Mee. "They have a duty of care."