BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Channel beware: permanent data destruction is harder than it looks

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 20 Sep 2013 00:41:05 -0600
http://www.microscope.co.uk/opinion/Channel-beware-permanent-data-destruction-is-harder-than-it-looks

The UK Information Commissioner’s Office (ICO) recently published the
number of data breaches committed this year. The findings reveal that half
were due to carelessnessand most of the data breach scandals occurred in
sectors that store highly sensitive data.  Local councils and the health
sector were the biggest offenders and paid over £4 million worth of fines
in 2013. A big worry is that the government body only issues fines for
gross negligence which means the public sector had committed serious
infringements. In comparison, the amount paid out by private businesses was
a mere £600,000.

One of the most notable causes involvedNHS Surrey, which was fined
£200,000after it publically leaked the records of 3,000 patients. The loss
occurred because the data destruction company in charge of recycling the
hospitals’ computers hadn’t properly destroyed the records.  Instead, it
unwittingly passed on data, believing that crushing the hard drives of the
computers was enough to permanently erase information.

Any reputable data erasure specialist knows this method of disposal is far
from fool proof. Deleted data can often be retrieved from damaged equipment
or from formatted or corrupt volumes – even from initialised disks. Kroll
Ontrack knows this better than any other firm.  Our most famous data
recovery was from a cracked and singed hard drive that fell to Earth in the
debris from the Space Shuttle Columbia in 2003! In the case of NHS Surrey,
the ICO was alerted to the breach not by a hardened criminal with amazing
tech skills, but by a member of the public who had purchased one of the
computers and found the data on their desktop.

The public sector outsources the bulk of its IT responsibilities to the
channel therefore the channel needs to work with skilled data destruction
companies to protect their reputations as well as those of their clients.
 Knowing who to trust requires a bit of research in the selection process.
 A quick Google search will reveal many companies promising the same
results, so channel beware.  Do a background check of the company before
choosing the right data destruction partner. Find out if the organisation
employs trained engineers and whether they work in a clean room.  Ask for
customer case studies. Find out the methods they use to destroy data.

For example, permanent erasure requires the use of accredited erasure
software or a degausser for non-functioning computers. They not only wipe
all traces of data but also provide companies with erasure verification
reports which are vital for compliance audits. The reports list what has
been deleted and identifies the serial number, make and model of the hard
drive removed. The date and time of erasure and the amount of information
that has been erased is also available. For non-functioning hardware,
adegausser ensures all data is permanently irrecoverable.

Some data destruction companies don’t have the technical knowledge to use
the correct tools – which explains why they choose to smash a hard drive
instead.

The computers belonging to NHS Surrey were compromised the moment they left
the hospital, leading to a scandal which will take a while to forget. A
clear warning has been sent to all IT managed service providers for the
public sector: the channel must take the threat of data breaches seriously
or risk damaging their reputations and losing customers.  The only way to
protect the bottom line is to find a data destruction company that can
guarantee the permanent and professional deletion of files.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: