Data that won’t Budge

May 31, 2009

The secure destruction of data held on electronic devices is an issue that troubles both individuals and large organisations alike. Misplaced data is a perennial issue, but recent research for BT has revealed the shocking extent to which sensitive information is being retrieved from second-hand hardware sold on the likes of eBay.  In this instance the hard drives bought on ebay had been subjected to a basic level of data removal and disposed of inappropriately, resulting  in a clear breach of contract.

Individuals, companies and government organisations store their most important information on computers, PDAs and even MP3 players, and virtually all business is now conducted electronically with most businesses experiencing a sharp increase in the use of technology. Yet when it comes to disposing of those items it seems to be a case of ‘out of sight out of mind’.  It is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks. 

Businesses need to be aware that they could also be acting illegally by not disposing of their data properly.  Many companies are still labouring under the impression that pressing the delete key is the end of the matter, others that formatting a drive is even better.  This is not the case; following  deletion, data remains on the disk and can be retrieved and reconstructed in a relatively straightforward manner.  Similarly, backup tapes and mobile devices can appear blank but may contain legacy data if the appropriate recovery techniques are applied.

 The real issue is what should be done when these devices, containing such data, are due for disposal?  In the corporate environment there is a duty of care in relation to individual’s data privacy under the Data Protection Act and of course there is also the issue of sensitive company or government data and financial information which may be the subject of many regulations. Fundamentally, it is essential in any business that there is a recognised and tested procedure to deal with the destruction and disposal of data, which has been the subject of a proper risk assessment.  Often, disposal is part of a routine process dealt with by the IT department, and all too often there is a failure, not necessarily through a fault of that department itself, to recognise the value of a secure and complete destruction of data.

Businesses and government organisations who should know better are not alone.  The problem exists with home users and people who use their own computers for work.  In these cases it stems, more often than not, from ignorance of the facts:  when individuals sell their computer or upgrade to the latest model they do not take sufficient precautionary measures.  Often the data is backed up for transfer from the old to the new but a copy remains on the old machine.  Even wiping programs leaves residual data on the disk. 

So, what should companies do when it comes to disposing of computers and other media? 

It is essential that confidential and sensitive data is removed from computers before disposal to avoid breach of confidentiality or unauthorised gathering of information about user accounts and passwords.

For these reasons it is vital that all computers and computer media are disposed of in a way that is compliant with the above points.  Using a data-erasure program to wipe the hard drive clean is the first step to disposing of any sensitive information; CD-ROMs and DVDs should be shredded – there are many domestic shredders with this capability;  tapes should be completely overwritten. Hard drives should be securely wiped using a recognised software program and if not being recycled should be physically rendered unusable. Mobile devices should be securely wiped or again physically destroyed. 

Of course the best method of ensuring that any data does not fall into the wrong hands is to securely wipe a drive, then crush and shred the physical device then burn the remains. But, for those of a less destructive nature, the steps outlined above should suffice.

Tony Dearsley is Computer Forensics Manager at Kroll Ontrack