The Risk of ‘Dumpster Data’ Exposure & How to Prevent It

Sep 01, 2021 Blog Article

An IT security professional in Hungary found an old computer in a dumpster. Here’s an overview of the personal data he and a cybersecurity blogger were able to uncover—all with easily accessible password and data recovery tools.

Farah Mithani A tech-focused writer and editor, Farah covered topics related to cloud security, software, and hardware while working at a Fortune 500 company. She then joined Blancco as content marketing specialist. In that role, she authored data management, data erasure, and IT asset lifecycle content while supporting Blancco’s social media and email channels.

An Investigation into Improper Computer Disposal  

When an IT security professional in Hungary found an old computer in a disposal bin, he and the author of an information security blog decided to investigate further. Tamás Kocsis, author of the IT and information security blog “Kiberblog” and Ákos Solymos, specialist at IT security company Quadron, took the discarded computer, intending to search for potential data leakage. Although the computer was in poor condition, Solymos found that the disks were still functional, and several questions arose: Had the computer been sanitized before finding itself in a public dumpster? Was there any data on those disks? If so, what kind of data?

Solymos’ curiosity isn’t unfounded. The NIST Guidelines for Media Sanitization states that “an often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.” In Solymos’ case, NIST’s findings rang true on all three counts.

With the simple use of three tools—FTK Imager software, the free forensic tool Autopsy, and the password hash cracker, CrackStation—Solymos was able to uncover a vast array of personal, medical, and financial data on thousands of patients, such as:

  • 3,256 patients’ birth data, treatment history, prescribed medications, and other personal information
  • More than 9,500 unique email addresses
  • 4,728 photos and 314 videos, with more than 200 related to medical examinations
  • 300 court enforcement documents

Using FTK Imager software, the free forensic tool Autopsy, and the password hash cracker, CrackStation, Solymos was able to uncover a vast array of personal, medical, and financial data on thousands of patients.

‘Dumpster Data’ Still Found in Spite of Data Regulations 

The high quantity of sensitive data Solymos uncovered from just one computer is astounding.

Although it is possible that the computer he found was scrapped before the GDPR era, as the latest data on it was from 2015, legislation on the protection of personal data was in effect before that regulation was passed. Hungary’s Act LXIII of 1992, on the protection of personal data and the disclosure of data of public interest, and Act XLVII of 1997, on the processing and protection of health and related personal data, stated that during the handling of personal or health data, the security of data should be ensured.

In the case of Solymos’ investigation, the negligence of these data protection laws while they were in effect begs the question—what’s to stop businesses and individuals from improperly disposing of their IT assets in present day?

Aside from this one investigation, improper computer disposal can also occur at a larger scale. Even when companies think they have done their due diligence, data removal methods such as hard drive reformatting and physical destruction don’t guarantee that all data has been removed, making companies more vulnerable to data exposure.

Data Security Risks in the Second-Hand IT Asset Marketplace 

In a research study conducted by Blancco and a Blancco partner, OnTrack, Blancco IT staff in the U.S., Germany, Finland, and the U.K. purchased over 150 used solid-state drives (SSDs) and hard disk drives (HDDs) from eBay. The drives were then analyzed by OnTrack through proprietary data recovery tools to see if any data, particularly personally identifiable information (PII), remained. The drives were purchased randomly and with the condition that they had not been wiped using Blancco software. Of the 159 drives analyzed, data was found on 66 of them, with 25 of the drives containing PII such as photos, birth certificates, names, email addresses, and more. Overall, 15 percent of the drives tested contained sensitive information that could be dangerous in the hands of identity thieves or hackers.

Preventing Exposure of Personal and Private Data During Computer Disposal 

The exposure of personal and private information makes companies and individuals highly susceptible to fraud and cyberattack. The high volume of private data found in Solymos’ and Kocsis’ computer disposal investigation as well as in Blancco and OnTrack’s research study show how data leaks and identity fraud are very real and present threats. The ease of accessing private data and the high consequences that come from personal and private data exposure shows the importance of properly sanitizing data before disposing of IT assets.

As noted in our “False Sense of Security” research study, an overwhelming number of enterprises continue to use highly unsecure methods to remove data at end-of-life. While taking action to remove data at end-of-life is a step in the right direction, these methods only provide a limited level of protection. These unsecure methods include formatting, overwriting using free software tools (e.g., KillDisk/DBAN), physical destruction such as degaussing and shredding (misapplied or with no audit trail), and overwriting using paid software-based tools without verification and/or certification. Using software to erase data permanently, as well as verifying and having certification that the asset was properly sanitized, is key to protecting sensitive information enterprises have on assets, such as independent drives, intact PCs, and laptops at end-of-life.

To learn more about the scope of data and information that Solymos and Kocsis discovered on the discarded PC, visit the detailed cyber blog (Kiberblog) post, “Trash Data – Thousands of Health and Patient Data Were Carried in a Waste Container.”

Then, learn how your sensitive data can be securely and completely removed from servers, laptops, desktops and drives with the most certified disk erasure software solution on the market. Visit our Blancco Drive Eraser product page for more information.

Ensure No Data Remains on Old HDDs & SSDs

Through our certified erasure  process, organizations have a secure method to completely and permanently erase data on storage devices in a cost-effective  and eco-friendly manner.