September 01, 2014

Why Wiping a Hard Drive Isn't Enough to Protect Your Data

Last week the Information Commissioner’s Office (ICO) issued a £180,000 fine following the loss of a hard drive from a prison in Wiltshire.

The hard drive contained highly sensitive data relating to nearly three thousand prisoners (including details of links to organised crime, health information, history of drug misuse and material about victims and visitors). 

Since 2013, five further fines totalling over half a million pounds have been served by the ICO to organisations who have suffered serious data breaches involving electronic storage devices.

Many British businesses - both large and small - still don’t realise that wiping a hard drive before disposal is not secure enough and that the most effective method is physical destruction. As technology evolves, misconceptions have emerged about hard drive and electronic media security. Even if organisations use software to erase, wipe, reformat and degauss hard drives, they are not guaranteed to be fully protected - confidential data can still be retrieved and end up in the wrong hands.

There are numerous legitimate data recovery companies; however the expertise and technology used is inevitably also in the hands of those with less noble intentions than retrieving precious family snapshots or that vital coursework essay stored on the broken hard drive that wasn’t backed up.

Shred-it’s 2014 Information Security Tracker survey discovered that 15 per cent of large organisations and nearly a third of small ones have never disposed of hardware containing confidential data. Despite both the short and long-term negative consequences, many UK businesses choose stockpiling because they don’t know how to deal with the problem and are unaware of the risks to themselves and their customers.

50 per cent of UK businesses surveyed in the 2012 Information Security Tracker mistakenly thought that erasing, degaussing or wiping a hard drive before recycling it was enough to protect their confidential information from being lost or stolen. Another 14 per cent indicated that they simply recycled their old electronic media, making no attempt to safeguard the potentially sensitive information it contained!

This issue is new enough that many companies’ security protocols and procedures don’t account for unused hard drives and electronic media. Instead, businesses often stockpile items with confidential information on them indefinitely, locked away in a cupboard or storage area.

Here are three best practices ideas you can implement in your workplace to avoid data theft from electronic media:
  • Destroy all unused hard drives at the end of their useful life. If using a third-party provider to do this for you, check they have a secure chain of custody to help give you peace of mind and ensure your data is being kept out of the hands of fraudsters.
  • Consider performing regular clear-outs of storage facilities and avoid stockpiling old, unused hard drives. The Data Protection Act stipulates that personal data should not be kept for longer than the purpose for which it was collected in the first place — so even the simple act of storing them could mean you are breaking the law.
  • Conduct regular reviews of your organisation’s information security policies and procedures to incorporate new and emerging forms of electronic media - and ensure your staff training also covers this high risk area.

The cost to destroy hard drives is minimal when compared to the potential risks faced when you don’t. Hard drive destruction is the most effective way to permanently destroy all information.

This information sheet covers more about securely destroying hard drives once they’ve reached the end of their useful life.