End of Life

ADDITIONAL DATA SECURITY STORIES:

• Critical Data Found on Harddrives Randomly Purchased on EBay!

  Watch the News Video Here

• May 2009 – Hard Drive on E-bay contained U.S. top secret missile plans
• April 2009 – Sprint Employee Steals Customer Data
• Feb 2009 – Data Loss Costing Companies $6.6 Million Per Breach
• Jan 2009 – Damage Awards on Privacy Breaches Getting Serious

As the incidents of data breaches and theft of private data continue to multiply, the gaping hole at the end of the data life cycle is of growing concern to security experts, IT professionals and corporate executives. While millions of dollars have been spent on data encryption, virus protection and online security, the process of decommissioning, destroying or recycling PC’s and hard drives has been neglected.

The pervasiveness of the problem was emphasized last year when a Florida-based data recovery/security company purchased nine SCSI hard drives on E-bay. LaBelle, FL-based CPR Tools planned to use the drives during the development phase of a new data security product.

A key component in the company’s protocol is to inspect all second-hand drives prior to using them for research and testing. During an initial examination of the drive sectors, the company found extensive data, including credit card numbers, addresses and names. Surprised at having discovered so much data with so easily, some typical data recovery tools were employed to further examine the drives. During this process, large quantities of personal information was uncovered with very little effort. This data included more than 2,500 credit card numbers, more than 1,000 names, addresses, phone numbers and prescription drug information.

Similarly, a New York City-based computer forensics firm randomly purchased 100 hard drives on e-bay, most of them serial ATA drives. According to ComputerWorld magazine, Kessler International found that 40% of the hard disk drives it purchased contained personal, private and sensitive information — from corporate financial data to personal Web-surfing history and downloads. Some of the information retrieved was recovered using standard forensics hardware, although the drives had been previously “wiped.”

At Harvard University’s Center for Research and Computing, Simon Garfinkel conducted a survey based on more than 1,000 hard drives purchased on e-bay. His search returned data that included 31,000 credit numbers in a hard drive from a medical center, as well as consumer credit applications with names, work histories and Social Security numbers.

However, there are signs that this situation is changing quickly as a result of government regulations now on line, including the Health Information Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, Personal Information Protection and Electronic Documents Act, the Gramm-Leach-Bliley Act and California Senate Bill 1386.

New “best practice” standards developed by NIST and other agencies are now emerging as corporations, organizations and government entities reassess the real life demands of custody and control. PC end-of-life strategies may include any number of scenarios, including physical destruction, recycling or re-deployment. Each one of these solutions requires that existing data be destroyed beyond recovery before committing to the final stage.

For an in depth treatment of end-of-life PC / Hard drive sanitation practices, please visit this link.