The dangers of dead data

By Philip McMichael, COO DiskShred.

  • 10 years ago Posted in

The nature of the problem
At end of service life every PC, laptop and server - as well as many laser printer-copiers – typically contain between one and twenty hard drives loaded with information. The chances are that some of that data is either sensitive or very sensitive – and in the wrong hands (e.g. criminals or the hands of a competitor), this can spell trouble.


If even the smallest amount of that data is sensitive (e.g. personally identifiable information, business intelligence or intellectual property) the whole drive must be treated as sensitive and the data on it disposed of safely and using a fully auditable process.


In today’s data centres and server rooms too, the widespread use of virtual server’s means that it is all but impossible to know what information is on a particular storage device. Which means that it’s impossible to know how sensitive that information is and so the only safe assumption is that it is highly sensitive and needs to be properly destroyed.


The problem in today’s IT-centric world is that you cannot simply `bulk format’ those disks. It is now simplicity itself - with software that is freely available on the Internet - to recover 90 per cent of the data on a disk.


And with the right laboratory equipment, you can recover the data that was on a disk several `drive wipes’ previously - effectively creating a hard disk time machine.


Unlike Dr Who’s TARDIS, however, this is not future technology fantasy, but the real world of today. The take-out here is that in-house disk wiping is simply not good enough to ensure your organisation’s data is gone forever.


The reality is that, if you do not want to fall foul of the Information Commissioner’s Office (ICO) – the UK Government agency tasked with enforcing the law relating to our data - for a data leak or breach and/or have your reputation dragged into the media, or even lose customers as a result of leaking their personally identifiable data - you really have no choice but to go for a professional data destruction service.


But these services come in differing levels of ‘risk and cost’ as we shall see shortly.


The perils ahead
But first let’s look at what happens if the data destruction job is not carried out properly with some high profile recent examples.


In July 2013, the ICO gave NHS Surrey a hefty fine of £200,000 after more than 3,000 patient records were found on a second-hand computer bought through an online auction website.


According to the ICO, the sensitive patient information was inadvertently left on the PC – and sold by a data destruction company employed by NHS Surrey since March of 2010 to wipe/destroy their old computer equipment. The firm carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.


In late May 2013, NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer and found that it contained the details of patients’ treated by the health trust.


The organisation collected the computer and found confidential sensitive personal data and HR records - including patient records relating to approximately 900 adults and 2,000 children - on the computer.


After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of the `free’ destruction provider. The ICO said that ten of these PCs were found to have previously belonged to NHS Surrey, three of which still contained sensitive personal data.
At the time, Stephen Eckersley, the ICO’s Head of Enforcement, said that the facts of the breach were truly shocking, as NHS Surrey had handed over a substantial number of PCs (NHS Surrey didn’t have a complete asset register so were unable to verify the exact quantity) to a company without ensuring that the information had been securely deleted, adding that the result was that patients’ information was effectively being sold online.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free,” he said,


A major data destruction survey – covering the public and private sector - published by the data protection registrar in April 2011 revealed that more than one in 10 second-hand hard drives sold online at the time contained recoverable personal information.


The findings - based on an analysis of 200 hard drives, 20 USB sticks and 10 mobile phones - said Christopher Graham, the Information Commissioner, show that people are in danger of becoming a soft touch for online fraudsters, simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices.


"Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered," he explained.


Whilst only minimal personal data was recovered from the phones and USB sticks, 11% of the disk drives were found to have contained personal data, whilst 37% contained non-personal information and only 38% of the devices had actually been wiped clean.


The ICO revealed at the time that around 34,000 files containing personal or corporate data were recovered in total, with four of the units containing client/employee data from four organisations - including job applications; copies of passports; birth certificates and driving licences; full bank details; health information; and residence permits.


If you read the news, you will realise these cases are not uncommon. And you can be sure that for every case that makes the headlines there are many hundreds that do not….


So let’s look at the professional data destruction options:


Degaussing
This is a process where the disk is put through a very large electro-magnet. In theory this should wipe the data completely, but in many cases the data wipe is either only partial – deleting elements of the data files – or does not reach far enough into the drive’s magnetic surface to be effective.
Remember here that, with the right equipment laboratories and ‘industrial espionage’ systems plus software (freely available on the Internet) IT professionals can recover data from several disk wipes ago


And although this process of degaussing is relatively cheap, the cost of checking each one to ‘spy data destruction’ standards would be monumental.


Disk Shredding
You can put each hard disk through a massive physical shredding machine, which cuts it into small ‘chunks’. This process chops and grinds the hard disk into specific sized pieces, usually no bigger than a 20 pence piece– and although technically at this size the data could still exist on the chunks, it is not recoverable. This process – which is highly effective - is similar to shredding office documents into confetti-sized pieces.


We’ll cover the finer details of shredding in a moment, but first there are two main shredding services: Off-Site and On-Site (mobile).


Let’s review the effectiveness and costs of these services:
Off-Site Shredding
This service is usually cheaper than the on-site option, simply because the supplier takes the disks away to a large factory-type facility where the shredding is done on an industrial scale.


But this process is relatively dangerous because – just like when the waiter in the restaurant disappears with your debit or credit card - you have no way of truly knowing what happens to it when it leaves your sight. As a result you have no definitive means of confirming what has happened to your data and its storage devices.


It’s also very difficult to know whether the disk went from your hands and into the destruction machine without being diverted or copied, since today’s high-speed computers can copy an entire drive in a matter of minutes.


On-Site Shredding
In this process, a shredder within a lorry comes to your site and you can accompany the disks into the lorry. You can then stand and watch as they are processed to industry approved standard sizes such as 20mm or even 5mm scraps.


In addition, with professional’s shredding lorries – such as Diskshred’s - you can let CCTV oversee the full process and give you a full audit trail (including the capture of the serial number) as each disk is placed on the conveyor and filmed as it goes into the jaws of the shredding machine and out the other side as small chunks.


Levels of shredding explained
Just like with paper shredding, there are different levels of shredding involved with disk drives. Some shredding systems physically crush the drives before breaking the resultant mangled metal and plastic ensemble into pieces, but most modern services chop the units into small chunks.


Now the bad news: disk drives come in many shapes and sizes, raging from high capacity three inch drives, down to one-half inch spinning platters in very tiny computer systems - and also use solid state drives, where the data is stored on a series of tiny chips no larger than a finger nail.


And just like with the highest standard paper shredders, given enough patience, time and resources, criminals can reconstitute the playable surface of disk drives, as well as recover data on a tiny chip in a solid state drive by hooking it up to the necessary electronics.


Most commercial drive shredders will guarantee a maximum chunk size using defined industry standards. Generally speaking these maximum chunk (particle) sizes fall into 20mm-plus, 20mm, 10mm and 5/6mm levels.


Which chunk size you opt for depends on the type and sensitivity of the data held on the drive, as well as the degree of commercial risk you are willing to shoulder. Although you should bear in mind that in extreme cases some companies have gone out of business following a data breach/loss incident, as customer confidence in their services ebbs away.


Choosing the best option
This is where we enter into the world of accountancy - with the inevitable cost-benefit equation.
But if you have disks with personally identifiable information and/or high-sensitivity data on-board - or if the disks are from managed servers or cloud computing servers (where you’ve no idea what data is on them nor how sensitive it is) - the financial and business penalties are potentially huge.
The bottom line to this cost-benefit equation is that the best form of insurance is paying a little extra to a fully certified operator like DiskShred for the certainty that your data on the drives really has gone forever.
 

Exos X20 and IronWolf Pro 20TB CMR-based HDDs help organizations maximize the value of data.
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Infinidat has achieved significant milestones in an aggressive expansion of its channel...
Collaboration will safeguard HPC storage systems and customer data with Panasas hardware-based...
Peraton, a leading mission capability integrator and transformative enterprise IT provider, has...
Helping customers plan for software failure, data loss and downtime.
Cloud Computing and Disaster Recovery specialist, virtualDCS has been named as the first UK-based...
SharePlex 10.1.2 enables customers to move data in near real-time to MySQL and PostgreSQL.