Recycling Hard Drives without Purging Results in NARA data breach

Now, according to a story in Wired Online, an NARA IT manager is claiming that the agency’s ongoing practice of failing to sanitize hard drives before sending them off site exposes veterans to identity theft. Interviewed for Wired.com online privacy, crime and security page, Hank Bellomy, a NARA IT manager, is charging that the failure to purge data from recycled drives is symptomatic of a larger problem among Government record keeping agencies. His comments to Wired are an indication of the frustration experienced by many other IT managers caught in a web of seemingly conflicting policies:

“I said you can’t turn them back in,” said Bellomy. “The data is Privacy Act — it’s against the law. We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”

NARA is simultaneously claiming that the lost drives are no big deal and changing their policy in response to the criticism. The agency now requires that drives be destroyed in house. The agency’s position is that there is no problem here because they have signed privacy agreements with their contractors. Of course, the hole in the “vendor accountability” argument is made painfully clear by the fact that the missing drive still can’t be located.

This is where it gets complicated, because NARA’s maintenance contract requires that it return defective drives for inspection or else pay a $2,000 replacement fee. As we have discussed any number of times in this space, government agencies in general are experiencing confusion as to what the current standard might be for dealing with protection of end of life cycle private data. In this case, the HDD in question represents a Catch 22 for NARA. In order to determine whether the drive is defective, it must be taken off premises, which is already a compromise of best practices. If they don’t send it out, they spend more taxpayer money on a new drive.
The solution to the quandary is referenced obliquely in the same article: remove the data prior to recycling. The National Institute of Standards and Technology (NIST) now recommends firmware based purging methods that remove data on HDDs beyond the possibility of forensic recovery – without destroying the drive itself. (OMB rules also recommend that government agencies follow these same NIST standards.) The highest level of purging cited in the NIST guidelines is performed by a device called the SCSI Hammer, developed by forensic recovery experts CPR Tools. The device would have solved the NARA dilemma by removing the data from the drive while allowing it to be inspected and subsequently recycled. The SCSI Hammer also generates a legally defensible audit trail that details the drives’ unique serial numbers, the erasure and erasure verification processes used, and even a checksum to demonstrate changes to drive data after erasure. Whether the agency or the outside contractor is responsible for this potentially massive data breach is merely a technicality for the 70 million veterans whose private info is on the lost HDD. If it had been purged of data, there would not be a problem.

Read more about the SCSI Hammer here.