University of Glamorgan Discovers Data on Discarded Drives
Technorati Tag: Security Breach
Date Reported:
9/13/07
Organization:
Various*
*Research conducted by the University of Glamorgan
Contractor/Consultant:
None
Victims:
Various and Unknown
Number Affected:
Unknown
Types of Data:
"data on cancer patients", "company records, personal information, financial data and paedophile [sic] material which has resulted in a police investigation in Wales", "sensitive corporate and personal data and a significant amount contained names, CVs, addresses and phone numbers. With some, the information was so detailed that they could have had their identities stolen."
Breach Description:
Once a year for the last three, the University of Glamorgan's Faculty of Advanced Technology conducts a forensic study of used hard drives bought from public sites such as eBay. University researchers analyze the hard drives for the existence of sensitive data that was not sanitized prior to disposal.
Reference URL:
http://news.glam.ac.uk/news/2007/sep/13/hard-disk-research-results-revealed/
http://www.guardian.co.uk/technology/2007/sep/13/guardianweeklytechnologysection.news2
Report Credit:
University of Glamorgan
Response:
From the online resources above:
"Information Security Researchers in the University of Glamorgan’s Faculty of Advanced Technology, have this week announced the results of their annual disk disposal survey."
"The research is aimed at assessing the volume and nature of information that remains on computer hard disks offered for sale on the second hand market and to determine the level of damage that could potentially be caused, if the information fell into the wrong hands. This year the study has uncovered a wide variety of personal and corporate data including patient medical records, financial details, and maintenance details for an oil rig."
"Dr. Iain Sutherland who co-coordinated the project at Glamorgan said, “It is worrying that in addition to home users, some quite high profile organisations have lost control of particularly sensitive data.”"
Commentary:
The data from this study validates what many information security professionals already know but didn't have the resources to prove. This is an excellent demonstration of the risk posed by not securely disposing of electronic storage media. Insecure disposal of electronic storage media is a rampant problem, and I know for a fact that identity thieves purchase these drives themselves.
The secure disposal of electronic media must start with policy, then implemented through standards and procedures that dictate control processes. Standards should outline what constitutes "secure" disposal (i.e. degauss, physical destruction, various multiple block-level overwrites, etc.) and procedures dictate how the standards must be implemented and verified.
News of a couple of companies that had data on these drives has already been leaked (coming stories).
Check out Life Cycle Services "Destroying Computer Data" as reference.
Past Breaches:
None
Date Reported:
9/13/07Organization:
Various*
*Research conducted by the University of Glamorgan
Contractor/Consultant:
None
Victims:
Various and Unknown
Number Affected:
Unknown
Types of Data:
"data on cancer patients", "company records, personal information, financial data and paedophile [sic] material which has resulted in a police investigation in Wales", "sensitive corporate and personal data and a significant amount contained names, CVs, addresses and phone numbers. With some, the information was so detailed that they could have had their identities stolen."
Breach Description:
Once a year for the last three, the University of Glamorgan's Faculty of Advanced Technology conducts a forensic study of used hard drives bought from public sites such as eBay. University researchers analyze the hard drives for the existence of sensitive data that was not sanitized prior to disposal.
Reference URL:
http://news.glam.ac.uk/news/2007/sep/13/hard-disk-research-results-revealed/
http://www.guardian.co.uk/technology/2007/sep/13/guardianweeklytechnologysection.news2
Report Credit:
University of Glamorgan
Response:
From the online resources above:
"Information Security Researchers in the University of Glamorgan’s Faculty of Advanced Technology, have this week announced the results of their annual disk disposal survey."
"The research is aimed at assessing the volume and nature of information that remains on computer hard disks offered for sale on the second hand market and to determine the level of damage that could potentially be caused, if the information fell into the wrong hands. This year the study has uncovered a wide variety of personal and corporate data including patient medical records, financial details, and maintenance details for an oil rig."
"Dr. Iain Sutherland who co-coordinated the project at Glamorgan said, “It is worrying that in addition to home users, some quite high profile organisations have lost control of particularly sensitive data.”"
Commentary:
The data from this study validates what many information security professionals already know but didn't have the resources to prove. This is an excellent demonstration of the risk posed by not securely disposing of electronic storage media. Insecure disposal of electronic storage media is a rampant problem, and I know for a fact that identity thieves purchase these drives themselves.
The secure disposal of electronic media must start with policy, then implemented through standards and procedures that dictate control processes. Standards should outline what constitutes "secure" disposal (i.e. degauss, physical destruction, various multiple block-level overwrites, etc.) and procedures dictate how the standards must be implemented and verified.
News of a couple of companies that had data on these drives has already been leaked (coming stories).
Check out Life Cycle Services "Destroying Computer Data" as reference.
Past Breaches:
None
Posts Atom 1.0
I have read myself about this data forensics and it seems that all the news are true: deleted data on a hard drive can be recovered through a simple process and with such technique you can find out many secrets.
Reply to this
Oh yeah. It's a piece of cake, and you can do it for free. There are many freely available tools that are easy to use and work pretty well.
If you have an interest in any of the tools, please use to the "Contact Us!" link to send me an email.
Reply to this
Ohh! I read about this too! In that study at the University of Glamorgan, were 300 used disks purchased from the UK, Australia and the US were tested and four out of ten contained sensitive data, such as salary details, financial data, bank and credit account details and visa applications. As far as I know it's not only recycled PCs and laptops that are seeping personal data - mobile devices are covered by the same data protection laws as computers, but they're rarely wiped after being discarded.
Reply to this