The continued rise in sales of computing devices – up 4.5% to 2.32 billion units worldwide, according to Gartner’s latest estimate – drives the security news agenda to protect them. There is no shortage of advice on data protection, staying safe online, avoiding phishing attacks and combatting malware.
However, for all the high-profile news and constant barrage of messages urging us to protect ourselves, our businesses and countries, there is an enormous area of security that is believed to be safe, but constantly falls between the cracks. Many of the devices sold each year will be to replace retired PCs that may subsequently be sold, recycled or otherwise disposed of.
Data destroyed – or is it?
Software ‘wipes’, i.e. overwriting data, do not actually erase data but rather simply cover it up with code. Data – and the hard drives that store it – is more resilient than you think.
Kroll Ontrack found that 60% of computers processed by so-called data-removal specialists still contained data from the previous owner when it released them for sale on the second-hand market. It also recovered data from a cracked and singed hard drive that fell to Earth from the Space Shuttle Columbia.
Good news for James Howell, the man who sent his old PC to landfill before realising the Bitcoins it contained had increased in value to around £4 million (assuming he can ever find it again).
Not such good news for businesses or individuals who think their data is irretrievable when they dispose of hardware. The penalties of data falling into the wrong hands include fines and the PR nightmare of a thorough reputation drubbing.
Many businesses offer safe destruction of hard drives. All (or, at least, most) are well-intended and may even believe that they do indeed destroy all the data held on the devices.
Their most common method is to drill three holes in the hard disk, a method upheld as the standard by a major high-street bank. Others believe that taking a sledgehammer or similar to the equipment will destroy all the data.
This is simply not true. There are in-depth recovery companies that can recover information from hard drives, even if they have been smashed to pieces. This puts hundreds of millions of people’s confidential data at risk.
Even when a hard drive is shattered, a piece of it the size of a fingernail holds more than 100Gb of readable information. Anyone who mounts that shard and scans it can access the information.
The risk to the company that owns or owned the data is that it remains responsible for the data even when it leaves its hands.
Chain of custody
The company that holds data is the custodian of that information. In passing any devices holding data to an external provider for destruction, the original company is simply adding a link in the chain of custody, but could still be held responsible for the data.
NHS Surrey learned the hard way earlier this year when data regulators fined it £200,000 for releasing the private records of 3,000 patients to the general public – the data destruction company it commissioned to destroy the data simply crushed the hard drives and sold them on, (probably) not realising the data was still retrievable. An anticipated 2014 update to the Data Protection Act could mean that NHS Surrey got off lightly; the update is expected to include fines of up to £500,000 for a data breach.
The only guaranteed method of removing data from hard drives is degaussing. Degaussing is the process of reducing or eliminating a magnetic field, in this case, data stored on tape or disk; those old enough to remember the ‘70s and ‘80s might have discovered for themselves what happened if they brought a magnet too close to a music cassette.
Degaussing is also the only approved data-elimination method of the US National Security Agency and the Department of Defense and the only sure-fire method that is compliant with the UK’s ISO 27001 standard for information security management systems and top-secret data standards such as CESG and CTTM; all other methods leave businesses at risk of data breaches.
Different types of degaussing suit different hardware and the options, unless you happen to have a solid background in physics, can seem daunting.
If you struggle to know your Oersteds from your Coercivity, you must work with a reliable partner to dispose of data assets. Not all degaussers are the same – older, outdated degaussers are not strong enough to erase new media and therefore is not secure.
Until private and public sector organisations take their data destruction seriously, there will be more than just the occasional fine at stake. It is the final crack in the data-security process that organisations need to seal.