August 08, 2016
You may remember the MIT research where students purchased 158 used computers from eBay and other sources and recovered thousands of personal and corporate records (including credit card numbers, financial records, medical records and personal email) from the disk drives.
The research was done more than 10 years ago, and it was a huge wake-up call for organisations about the importance of hard driving shredding and information destruction.
Unfortunately, these kinds of problems still exist.
Most recently, a Data Recovery Study in the US showed that despite attempts to wipe hard drives, 67% of 200 used hard drives purchased in 2015 from eBay and Craigslist still held personally identifiable information; 11% contained sensitive corporate data, and 9% contained company emails.
When information thieves steal this kind of confidential information, there is a risk of major personal, financial and reputational damage. An organisation also risks non-compliance with data protection laws.
Myth 1: Erase Hard Drives to get rid of information. Erasing a hard drive does not guarantee that information is gone. Similarly,‘deleting’ a file is not a guaranteed way of destroying the information. An information thief can use special software to recover data.
Myth 2: Magnets work. There was a time when placing magnets on a hard drive would do enough damage to wipe out data. But hard drives are more resistant than ever to magnets.
Myth 3: Formatting destroys data. Simply formatting a hard drive does not completely destroy data. Similar to the ‘delete’ issue, the right software program can probably recover data.
Myth 4: Stockpiling Hard Drives protects information. Many workplaces do not have a policy for hard drive shredding and still stockpile hard drives on-site. Even if hard drives are in a locked storage area, information still exists – and can be stolen.
Myth 5: Small businesses are not targets. Regardless of size, all companies that handle private information are targets of information thieves. It’s important to have a document disposal policy in place and to never put old and dated electronics into the rubbish. In earlier research, the Ponemon Institute said a large number of data breaches occur with offline computers because they are simply put into the rubbish or sent for recycling by the equipment owner.
Myth 6: Recycling will destroy information. There is no way to ensure that hard drives sent for recycling will not be accessed by information thieves. Data security management has to be part of any recycling equation.
Physical destruction is the most effective way to ensure information is unreadable and unrecoverable.
Speak to your document shredding partner about specialised shredding and crushing services. There should be a secure chain of custody process with certified information security professionals, regular collections of hard drives and electronic media, and a Certificate of Media Destruction after each service. Also, materials should be sent for recycling after destruction.
Learn how a comprehensive document management policy protects confidential information from creation to end-of-life.