What do the Office of the Chief Medical Examiner, State Lottery Commission, and Department of Mental Health have in common? They were all among the 12 agencies audited by the state of Massachusetts in 2015 and were deemed to have failed to comply with state requirements for the removal of confidential information from electronic equipment. During the audit, it was discovered that the medical examiner left 40 hard drives, which contained information of suspicious deaths, in an open area.
While this case is shocking, it’s easier, more common and more dangerous than most realize to find residual data on used electronics after they’ve been sold. This is reiterated by the findings of our new data recovery study that launched today, where we purchased 200 second-hand hard disk drives and solid state drives from eBay and Craigslist. In addition to finding personally identifiable information on 67 percent of the drives, we were more worried by the fact that 11 percent of the drives held sensitive corporate data, including company emails, CRM records and spreadsheets containing sales projections and product inventories.
We caught up with our IT security consultant, Paul Henry, who has decades of digital forensics experience and has purchased over 800 used electronics from ecommerce sites. He shares some of the study’s findings and how improperly wiping used electronics before reselling them could turn into a privacy nightmare for businesses and even individual users.
Were you surprised by any of the study’s results?
Paul Henry: I was more saddened than surprised by our study’s findings. This is the second data recovery study we have done in the last 12 months. To see how little has changed in regards to differentiating effective data deletion methods from improper methods speaks to what needs to change in the industry.
In addition to finding company emails on 9 percent of the drives we examined, we also found more confidential and sensitive corporate data, such as spreadsheets containing sales projections and product inventories (5 percent), customer data (3 percent) and CRM records (1 percent). While these figures may not seem exceptionally high, they are still alarming for several reasons and should be seen as a wake-up call by businesses.
If the original owners of the drives were employed by large enterprise businesses with thousands of employees, customers and partners, it’s highly likely the subjects and topics of those company emails could be extremely sensitive and potentially damaging to the employers if leaked. Given the CRM records included sales projections and product inventories, the loss or theft of such data could also pose a serious threat to a company’s intellectual property and diminish its competitive advantage in the market.
This mistake was at the heart of the infamous Ashley Madison data breach in 2015. The dating site’s users, who wanted to make sure all of their data was erased from the dating site, put all of their trust into the site’s $20 ‘Full Delete’ program. Even though the obvious identifiers had been removed, enough information was left to expose the site’s users. The big lesson for Ashley Madison – and any other type of business – should be to test that your deletion methods are adequate and to not blindly trust that simply ‘deleting’ data will truly get rid of all of it for good. Remaining data can still be accessed and recovered unless the data is securely and permanently erased.
What are the common methods/ways that users deleted data from the drives you examined? And what are the drawbacks, or mistakes, of each?
Paul Henry: Based on our analysis, 36 percent of the drives containing residual data had data previously ‘deleted’ from them – essentially, users dragged files to the ‘Recycle Bin’ or used the basic delete button. Our findings also revealed that a quick format was performed on nearly half (40 percent) of the used drives containing residual data. However, formatting a drive doesn’t actually erase the data. It only creates a file table so new data can be written to the volume. So the old data is still left intact and recoverable.
Most people – and even businesses – mistakenly use these inadequate methods thinking their information is gone. But it’s not. The data can still be accessed and recovered. When you consider that close to half of the used drives we analyzed used this inadequate data removal method, it reiterates just how large and persistent of a problem this is today. For businesses that collect, create, store and manage millions of data points and information in a single day, the security risks of exposing such data are too significant to ignore.
For data security as a whole, and data erasure in particular, there are many solutions users can find in the marketplace. But as easy as they are to find and as affordable as they might seem, they’re not absolutely guaranteed to erase data permanently – and they certainly don’t comply with international regulatory standards. But as our study makes very clear, not all resellers are taking the necessary precautions to wipe data completely clean before reselling used electronics to the next user.
What was the most alarming type of personal data left on a drive from the report?
Paul Henry: In taking a closer look at the drives, we discovered various types and amounts of personally identifiable information were left exposed, including financial data (21 percent), social security numbers (23 percent) and resumes (10 percent). The potential loss or theft of these types of data is dangerous because they contain all of the information needed for a hacker to go in, steal the information and then penetrate identity theft and fraud. And in a world where money rules, this could have devastating effects for individuals because it could not only rob them of their hard-earned money, but it could also hurt their chances to get approved for financing, mortgage loans and so much more. Not to mention, if the identity thief becomes involved in criminal activities, it could destroy their personal reputation.