One in Three Second-Hand Hard Disks Contain Sensitive Information
May 7, 2009
New research from the Faculty of Advanced Technology at the University of Glamorgan has revealed that a significant number of computer hard drives that are bought second-hand still contain sensitive company and personal information.
The survey, commissioned by BT, of over 300 computer hard disks uncovered a wide range of information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, job descriptions and even launch procedures for a US military missile air defence system.
The memory disks were bought from the UK, America, Germany, France and Australia through computer auctions, computer fairs and eBay. The research was carried out by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith cowan University in Australia and Longwood University in the US.
Thirty four per cent of those disks examined contained information of either personal data that could be identified to an individual or commercial data identifying a company or organisation. The researchers concluded that a “surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved was recovered as a result of the survey.”
Examples included:
* A disk bought on eBay revealed details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system, used to shoot down Scud missiles in Iraq. The disk also contained security policies, blueprints of facilities and personal information on employees including social security numbers, belonging to technology company Lockheed Martin – who designed and built the system.
* Confidential material including network data and security logs from the German Embassy in Paris were discovered on a disk from France.
* A disk from a US bank revealed account numbers and details of proposals for a $50 billion currency exchange through Spain. There also appeared details of business dealings originating in the US with organisations in Venezuala, Tunisia and Nigeria. Personal correspondence was also found from a member of the Federal Reserve Board suggesting one of the deals, already under scrutiny by the European Central Bank, looked suspicious.
* A number of disks contained data from a well known UK based fashion company– including information relating to trading performance, budgets, discount codes and customer names and addresses. Another contained what appeared to be corporate data from a major motor manufacturing company – including references to design and engineering for vehicle interiors.
Professor Andrew Blyth who led the research at the University of Glamorgan commented, “Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. In the current financial climate they risk losing highly valuable propriety data.”
Dr Andy Jones, head of information security research at BT said, “This is the fourth time we have carried out this research and it is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks. For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft. Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly.
Dr Glenn Dardick, who leads the research team at Longwood University in the US, added: “People get concerned about losing data on computers but they don’t realise that data removal and the proper decommissioning of computers and media is as important as retention. Given the rise in ID theft and the apparent availability of discarded information, we need to do better in educating people about this problem. Determining the scope of the problem as well as determining best practices for mitigating the problem is the purpose of the research.”
For further information contact the Press Office: 01443 483362
