Adequate data disposal: wiping the slate clean

Alvarez & Marsal’s recent forensic analysis of used computers has uncovered the dangers of inadequate data disposal for individuals and businesses everywhere, opening up the potential for data breaches and financial fraud. But to what extent does this also pose a threat to the public sector?

In September, the US Securities and Exchange Commission (SEC) fined Morgan Stanley US$35 million for an “astonishing” failure to protect customer data, after the bank’s own decommissioned servers and hard drives were sold on – and some even auctioned online.

It came to light that the bank had outsourced the task to an unnamed third-party moving company with “no experience or expertise in data destruction services”. According to the SEC’s complaint, it totalled over 1,000 unencrypted hard drives and 8,000 backup tapes, containing details of some 15 million customers.

Ensuring adequate data disposal has become increasingly challenging, and while it can be a complex task it is crucial to have full visibility over the process.

In certain places, there are recommendations for how to deal with devices when no longer required. For example, the UK’s National Cyber Security Centre guidelines recommend that hard drives should be physically destroyed in this scenario, in line with a growing trend of tech companies, financial institutions and government departments shredding millions of data storage devices every year.

Despite this, there is no explicit mandate to shred and some governmental departments, such as the Metropolitan Police, commit to properly wiping hard drives where possible.

In the US this summer, Detroit’s city government announced a scheme to distribute hundreds of its used computer units to families in the area. The authority took care to note that “all 500 computers first will be wiped of any existing and sensitive data” before being passed on.

But what does data disposal entail?

Given the sheer quantity of sensitive personal data held on public sector databases, completing a successful wipe is of paramount importance.

To expose the dangers of inadequate data disposal in both business and private settings, Alvarez & Marsal’s Disputes and Investigation team (A&M) conducted a forensic analysis of six used computers – which appeared to be both personal and previous work devices – that were available for sale on an online marketplace.

Using forensic technology software and e-Discovery tools, the team was able to recover thousands of documents from five of the six computers, including hundreds with highly sensitive personal information, as well as a significant amount of business-related data.

A&M retrieved data that was not fully deleted from hard drives, suggesting that the previous owner had attempted some form of cleansing but that it was not 100% effective. In other cases, data had not been erased at all, and the team was simply able to identify information that was live on the machine.

It is also worth noting that the data was captured using software available to anyone with the right knowledge, highlighting its vulnerability to fraudsters and other malicious actors with moderate forensics skills.

In total, the forensic analysis was able to recover 5,875 user-generated documents across the six computers. Several documents came from carved data — that is, deleted data on the hard drives of the computers — with a few documents still sitting on the computers, undeleted.

Why is data disposal so important?

The majority of the data recovered contained personal information, including clear scans of an in-date passport and various appraisal and job application forms detailing personal identifiable details such as full names, National Insurance numbers, addresses, emails, dates of birth and other sensitive data.

Personal photos were also found among the data, as well as 366 files including work-related keywords, derived from both generic business terms and concepts A&M discovered during the clustering process.

The risk of such breaches is increased because even deletion and formatting — including factory resets — do not always permanently remove the data from devices, A&M’s analysis showed. Due to this, zeroing out a hard drive, or forensically wiping it, is the best way to sanitise a device to render the data irretrievable by hackers.

Users can do this by using specialist software tools, such as the ones we used in this analysis, but free tools can also offer a good level of sanitisation. Physical shredding of hard drives is also recommended.

Failure to properly dispose of redundant IT equipment can lead to data breaches that not only violate data protection laws but can also result in financial fraud, with devastating impacts on companies’ finances and reputations. For individuals, there is the risk of identity theft if personal information falls into the wrong hands, causing monetary losses and serious emotional distress.

Best practices in data disposal management

To mitigate the risks outlined above, A&M recommends following several best practices in data disposal management.

It is crucial to audit third-party technology providers for the secure deletion of data. Even when a company uses third-party technology providers or outsources all or some of its data management services, the obligations to comply with relevant data protection laws remain with the company.

Appropriate technical, operational and legal measures must be in place with all vendors and service providers processing personal data. This may include having certified and audited procedures governing the secure deletion of data and destruction of hardware devices.

Another is to heavily enforce data security policies. In order to prevent sensitive data from being transmitted outside of secure environments in the first place, company emails and documents should ideally be stored on a secure cloud storage platform which is behind multiple layers of authentication. Employee training and access are also critical to data security as most data leaks have their root in human error.

Lastly, establishing and maintaining a secure data destruction policy is key. Organisations have a responsibility to only collect data that they need from their customers and employees and to only hold it for as long as necessary to meet these lawful purposes.

This means that companies need to understand the data they hold and put in place not just policies around usage, retention and the effective deletion of data, but also technical and organisational controls, including compliance monitoring, to ensure that these requirements are met in practice.