Even the Best Laid Plans Forget This Security Gap
The letter looked like standard correspondence from an investment broker, a monthly statement you'd file away without a second glance. It wasn’t.
It was Morgan Stanley informing its clients about a data breach that compromised private financial and personal information and exposed clients to identity theft. When Morgan Stanley closed two data centers in 2016, the company decommissioned its computer equipment through an outsourced data wiping (overwriting) vendor that guaranteed the sensitive data would be destroyed. Much to Morgan Stanley’s surprise, some data remained on the “wiped” drives, which violated customer privacy. This opened the door to major consumer privacy risks and liability and has resulted in customer and employee lawsuits.
What happened to Morgan Stanley isn't an isolated incident. Fifty-nine percent of secondhand hard disks sold on marketplaces like eBay still contain data from their previous owners, according to a study by the University of Hertfordshire and commissioned by Comparitech.
It happens because most security experts, understandably, spend most of their data protection efforts on securing the origin/entry points of their networks from hacking, ransomware, malware, viruses, crypto jacking, phishing emails and the like. Those threats are constant and increasing with today’s remote work revolution. IT security experts used to controlling an office environment, data centers and corporate networks now must contend with security issues created by thousands of home-based networks.
Now businesses are beginning to reopen their doors, and the hybrid remote worker-office worker environment is the new working normal. For security professionals that means double the effort and diligence as devices move from the office to the home and back again.
The Big Gap in Security Measures
A short list of procedures and policies for these hybrid work environments includes the following: two-factor authentication with a personal password and separate input code; applications that monitor data usage; secure remote connectivity through a VPN with encryption; and end point security at both the front end (point of origin) and back end (end of life-decommissioning).
But all too often, there’s a big gap at one end point of organizational security: data disposal, destruction and decommissioning. What happens to old devices, hard drives, SSDs and the data they contain? All too often, with workers and devices spread out remotely, worn out devices and drives end up in the back of an old IT or home closet, vulnerable to theft and misuse. Or the drives end up in a landfill with data intact despite attempts to remove it.
That is what CNA reporter Jason Godfrey discovered when he set out to find what really happens to old, discarded cell phones and data drives. What he learned wasn’t pretty. Companies that believed their data had been securely disposed of, soon learned the opposite was true.
Jason’s documentary, The Trash Trail, discovered passport details and even blueprints from a marine engineering company on hard drives that had been reformatted and declared ‘clean’, before being re-sold to consumers.
Related Article: 4 Collaboration Habits That Open the Door to Security Breaches
The Peril of Ignoring End of Life Security
Sadly, it's common for security professionals to have detailed security protocols and best practices for origin/data entry security and yet have lax or nonexistent practices for end of life data and equipment.
The stakes are even higher now because data privacy laws like HIPPA, HITECH, GLBA and GDPR and California’s CCPA exact high penalties for data breaches. A Brighton, UK hospital was fined £325,000 by The Information Commissioner's Office (ICO). The ICO said the fine, for Brighton and Sussex University Hospitals NHS Trust, was the highest it had ever imposed, according to the BBC.
There is no statute of limitations or safe harbor for improperly discarded IT assets, as Morgan Stanley learned. Improper IT Asset Disposition (ITAD) is a risk carried forward indefinitely. Your organization is still liable for data records discovered years later.
Related Article: Compliance Is a Business Decision
Best Practices for Data Destruction
Given the risk and potential liability that lasts indefinitely, every organization should define and require these best practices for end of life data security/data sanitation.
- Know exactly where old data and drives are residing and who has them, where they are stored if not in use, how and when they have been decommissioned.
- Do employees understand the need to protect company data at all times, particularly when working remotely? If not, make sure they do. Do not let old data, drives or devices sit idle in someone’s home or personal workspace.
- Maintain a written chain of custody from point of origin to end of life. This is especially critical for remote workers. When a remote worker needs a new computer or data device, make sure the old device is returned to the company via a tracked package and maintain a log of that device as data is destroyed. Obtain proof of data destruction.
- Adopt in-house data destruction. Risk increases when live data leaves your facility through outsourced data disposal. You eliminate that risk when you choose to complete the data destruction in-house with your own security team, under your own controlled environment.
- Use approved data destruction methods such as overwriting, shredding and degaussing. The NIST sanitization guidelines are a good place to start for most organizations handling personal information.
Methods of Data Destruction
Businesses have a number of data destruction methods to choose from, each with pros and cons:
Organizations have been known to use all kinds of physical destruction methods including hammers, drills and burning (not eco-friendly!) to destroy drives. The pro is the drive is destroyed and likely unusable. The con is data can survive on drives despite enormous physical punishment. This happened to a hard drive recovered from the space shuttle Columbia.
Partially melted after passing through the atmosphere, the hard drive was dropped from the sky about 40 miles above Earth at a phenomenal speed and remained on the ground for six months before it was found. And yet data scientists were able to recover 99% of the data present on the hard drive.
Shredding is one of the most common and accepted forms of physical destruction. Shredding can be an effective method of data destruction for many uses. Shredding slices the entire hard drive into small pieces with a high level of destructive force.
The pro is that process is meant to destroy drive platters, mechanisms and the electronic components so that the data cannot be recovered. The con is it is not failsafe, especially for top secret or confidential data. The NSA shred requirement is a 2mm²particle size, the size of the thickness of a pencil lead. To meet that requirement, you need a shredder, crusher or disintegrator that can achieve a 2mm²particle size. Not all commercial shredders meet that requirement.
Encryption is a form of data protection, not data destruction or sanitation. It is useful for protecting data while in use but does not protect the organization at end of life. Any encrypted drive not physically destroyed to NSA level requirements will eventually give up its secrets.
Overwriting is a software-based method of destroying electronic data on a hard disk drive by using zeros and ones to overwrite data onto all sectors of the device. The pro of overwriting is that the wiped drives can be recycled or reused. The con is that overwriting can be a lengthy and time-consuming process, requiring between eight to 14 hours of continuous writing to overwrite a hard drive that is in good condition. Disk drives that are older or worn out can fail, leaving unwritten data on the drive. The process relies on the quality of the drive itself and the skill of the operator to make sure the drive is completely erased.
Degaussing works by releasing a magnetic pulse across the entire hard drive. This magnetic pulse instantly and permanently removes all data from the disk platters. Degaussers are small units (about the size of a CPU), lightweight (ranging from 35 to 105 pounds) and can be carried or rolled into an office, data center or warehouse for in-house data destruction. Best practices for top secret data removal recommend degaussing, followed by destruction and verification that the data has been completely erased and the drive destroyed.
Don't Leave Security Up to Chance
The risks and potential liability of ineffective data destruction at end of life are too high for any organization to risk. Ensure your data and company are fully protected from end point to end point by instituting best practices for data destruction and using a proven method of data destruction like degaussing for all your devices and data.
About the Author
Clare Price is CEO of Octain, a global strategic planning consultancy that helps small and mid-market companies grow to dominate their markets by fueling the speed of business. She is the author of the eBook, Make Remote Work, a practical guide for helping companies navigate the new remote work world.