With so many items being bought and sold daily on online auction sites, it was only a matter of time before used corporate hard drives found their way into the mix—used corporate hard drives with sensitive data still intact. Forget reformatting; hard drives aren’t an Etch-a-Sketch you can simply turn and shake for a clean slate. Data tends to stick around if you don’t utilize complex deletion methods. If your company relies solely on reformatting before scrapping unwanted hard disks, it could be making a big mistake and writing it in permanent ink.
Pointsec, a company specializing in hard drive security, conducted a study in June to determine just how easy it would be to buy hard disks and laptops from online auction sites and recover their reformatted data. Of the 100 disks and laptops purchased online, nearly 70 had recoverable data even though they were reformatted or “wiped clean.”
“Companies routinely discard or otherwise get rid of machines that have gone through their useful lifetime,” says Pointsec co-founder John Muir. “[The previous owners] think that a quickly reformatting a hard drive is enough to protect them and this study shows that this is not at all true. This is a problem.”
You would think that a company specializing in hard drive security should be able to use their skills to recover data or else it’s time to take down the shingle. But Muir was quick to point out that they only utilized the most basic and widely used data recovery tools in their study, and randomly selected all of the disks and laptops from online auction sites. “Nothing nefarious; no back alley dealings or anything that would indicate Pointsec employees were trying to target a particular company,” says Muir. “They could not use any exotic [data-recovery] tools.”
And the grand prize of this study? One hard disk purchased from eBay contained sensitive data belonging to one of Europe’s largest financial services groups. The information included pension plans, customer databases, financial information, payroll records and login codes for the company’s secure intranet site—and that is just from a random sweep of 100 disks.
According to Muir, the most effective solution to this problem is not the most obvious: “The interesting fact here is that we are not recommending that companies go out and get much more systematic about learning how to wipe disk drives. Had those hard drives been fully encrypted in the first place they wouldn’t have to wipe them at all.” He points to Pointsec’s enterprise encryption solutions for Windows, Mobile OS, Palm and Symbian as an example of this proactive approach.
The added benefit of encryption over more-effective cleaning is that it protects the disk throughout its lifetime. “At any point in the data lifecycle if the product is lost or stolen or thieves steal a hard drive out of a machine, the data is just inaccessible,” says Muir. “When the device is eventually disposed of, the owners don’t have to worry about any new process or even wiping the data at all.”