How Effective Is Your Data Destruction?
With the advent of digital technology it became much easier for businesses to store data. Likewise, for the average person it’s much easier to store everything from phone numbers to holiday photos and everything in between in one place - namely a digital storage system or device.
Gone are the days of bulging paper folders, full filing cabinets and everything in between. But although digital media has brought a host of benefits to businesses and consumers alike, it’s also introduced some new challenges.
With physical files and papers, it’s easy to see when they’ve been destroyed. Shredded documents and incinerated pages offer no hope of recovery. Once they have been destroyed, they and the data they hold are gone forever.
It’s easy to see when something physical has been destroyed, and to have faith that this can’t be retrieved by anyone else. But in the digital realm it’s different. Hitting ‘delete’ on a file doesn’t necessarily mean it’s gone forever, and if you’re not careful it can be easily retrieved and accessed by others.
The challenge is that you can’t obviously see whether it’s been properly deleted, or whether it is in fact still stored somewhere, albeit more difficult to access and find.
Research conducted earlier this year by the University of Hertfordshire found that the average person does a terrible job of removing data from old devices and memory cards.
The university purchased 100 second-hand memory cards, which primarily came from mobile phones or tablets, although some memory cards had been used in drones, sat navs and cameras. They were being sold as second-hand cards, in places such as second-hand shops, auctions and on eBay.
Of the 100 cards that the researchers bought in a four-month period, more than half still contained data. Worryingly, 36 of them had not been wiped at all, either by the original owner or the seller.
29 of the memory cards were described as having been formatted, but the team found that the data was easy to recover. There were two other cards that had been wiped, but again where the data wasn’t hard to retrieve.
Just 25 of the cards purchased had been cleared properly using a data erasing tool, thereby preventing the researchers from recovering any data.
What data did they find?
The research indicates that we all need to be more careful about how we store and dispose of data and storage devices. Among the information recovered were passport copies, intimate photos, contact lists, navigation routes, browsing history and even personal identification numbers.
Professor Andrew Jones, professor of cyber security at the university, said: “Despite the ongoing media focus on cybercrime and the security of personal data, it is clear from our research that the majority are not taking adequate steps to remove all data from memory cards before sales.”
He added that some of the information they recovered could easily put people at risk if it fell into the wrong hands.
Paul Bischoff, privacy advocate for Comparitech.com, the company that commissioned the university to carry out the research, explained why it’s so important to do more than just hit delete on your digital files.
“Simply deleting a file from a device only removes the reference points to where a computer could find that file in the card memory. It doesn’t actually delete the ones and zeros that make up the file,” he asserted.
Mr Bischoff continued: “That data remains on the card until it is overwritten by something else. For this reason, it’s not enough to just highlight all the files in a memory card and hit the delete key. Retired cards need to be fully erased and reformatted.”
Although this research was conducted using personal SD cards, it’s clear that there are implications here for businesses.
Data destruction: vital for business
Using a confidential data destruction service is essential to ensure you get rid of any traces of sensitive information on old storage devices or computing equipment.
Much like the people who innocently resold the memory cards that were used in the university’s research, your employees may be unaware of the complexities of wiping digital devices. Remember that files had been deleted off of 31 of the cards but that these were easily recoverable.
A well-meaning employee could think that they’ve removed files from an SD card, when in reality they’re still easy to find for anyone who knows what they’re doing. With the focus on data protection from governments around the world, as well as consumers, you can’t risk carrying out data destruction in house, unless you have a dedicated team who truly know what they need to deal with.
While you may have no intention of selling on old memory cards and other pieces of equipment, the fact remains that they need to be responsibly disposed of.
Technology is evolving all the time and you will, at some point, have to upgrade everything from your printers to your desktop computers and your mobile phones. All of these devices could potentially hold sensitive data and you have a duty to your customers to ensure that this is wiped and disposed of correctly.
How do you destroy the data on a hard drive?
There are various methods of data destruction, from electronic to physical. An article for USA Today earlier this year highlighted one of the simplest ways of ensuring that the data on an old hard drive is not recoverable.
The advice offered by Mike Cobb, director of engineering at US data recovery firm DriveSavers, is that the only way to completely destroy a hard drive, and the data contained therein, is to physically destroy it.
He explained that professional data destruction firms will use specialist machinery to rip the drive itself into shreds, and recommends paying for this service if you’ve stored any sensitive data on your drive during its lifetime.
For a business that’s an obvious and sensible precaution to take. Data breaches are costly in many ways, from the reputational damage to the huge fines that can now be levied under the GDPR legislation.
If you’re just a concerned individual with an old, broken hard drive though, you could take a DIY approach. Speaking to the news provider Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, explained that a hammer can do a comprehensive job too.
The key is to ensure you smash not only the electronic components, but also the magnetic plates within the drive, he said. Mr Quintin also pointed out that it’s a messy task, so make sure you do it outdoors and somewhere that it’s easy to clear up.
What about encryption?
Encrypted data adds an additional layer of protection to your files. If you’re disposing of an old hard drive and it’s encrypted, then even if someone were able to recover the data, they’d be unable to make sense of any of it without the encryption password.
From a personal perspective, you may feel as though this is enough protection when you’re disposing of old hard drives. But, once again, for businesses, you just don’t want to run the risk.
Those with the right knowledge and skills can break encryptions, and with recent reports of flaws in Macs and PCs that leave encrypted data vulnerable, it’s worth taking every precaution possible when it comes to disposing of old hardware.
Research released earlier this month by F-Secure, a cyber security company, found that the majority of modern computers have a weakness in their firmware that leaves them vulnerable and could allow hackers to gain access to encrypted information and other sensitive personal data if they have physical access to a device.
Although the need for physical access makes it more difficult for someone to mount such an attack, it isn’t impossible. When we consider the fact that employees often have laptops that they travel with for work - and that could be misplaced or even left unattended in unfamiliar surroundings at times - suddenly the possibility of an incident doesn’t seem so remote.
Olle Segerdahl, principal security consultant at F-Secure, commented: “Typically, organisations aren’t prepared to protect themselves from an attacker that has physical possession of a company computer.”
He explained that attackers carry out what’s known as a cold boot attack, and although they need to take extra steps to circumvent encryption processes, they’re likely to have the time to do so given that this kind of threat is “primarily relevant in scenarios where devices are stolen or illicitly obtained”.
Mr Segerdahl added that it’s very difficult for companies to guard against this from a hardware perspective, because this kind of attack exploits a weakness within the computer itself and this isn’t something that you can guard against.
However, taking extra precautions with any equipment, particularly laptops and tablets, that are used away from a secure business premises is one way in which to reduce the risk of any of your devices being exposed to such an attack.
It also highlights the importance of ensuring that any old computing equipment that your company is disposing of is properly wiped. It would be all too easy for hackers to exploit these weaknesses if they were able to get hold of old laptops that your business is no longer using, and therefore that aren’t easily missed.