Secure Data Disposal
An Ugly Story
One of our technicians here at i.t.NOW was recently at a Thrift Store. He noticed some computers in their electronics section and naturally gravitated towards them. Curiosity impelled him to turn the machine on, and he was surprised when he did.
The machine was still attached to the domain of a local business. More than that, once he got logged into the machine he found that it still had a significant amount of data from that business on the machine. That data contained private client information and even financial data.
It seemed as if they had simply unplugged the machine in the office and took it directly to the thrift store with no additional action. We all see the problem with this right?
The data on that machine had been compromised and made available to the public at discount thrift store rates. Even worse, there wasn’t just one computer there. There were multiple machines of the save vintage from the same business. Selling for $10 each on a thrift store rack.
There is a right way to dispose of machines. This isn’t it. I also can’t argue with the instinct to donate them. In the Salt Lake City area there is a line of thrift stores that seeks to help the underprivileged. That’s where these machines were donated to. I applaud the desire to give back, but we must do it correctly.
Wipe That Drive
i.t.NOW recommends that any computers that leave our clients businesses go through a secure data disposal process on all hard drives that looks like this.
Data sanitization method is usually follows this process:
- Pass 1: Overwrite all addressable locations with binary zeroes.
- Pass 2: Overwrite all addressable locations with binary ones (the compliment of the above).
- Pass 3: Overwrite all addressable locations with a random bit pattern
- Verify the final overwrite pass.
Erasing a hard drive in this method will prevent all software-based file recovery methods from recovering data from the drive, as well as hardware-based methods. i.t.NOW does this for all its clients as part of our commitment to be a true partner and offer network security services.
It’s also acceptable to simply destroy the physical hard drives in such a way that no data can be retrieved. This is effective but makes the machine inoperable if you wanted to donate it or have any other use for it afterwards.
There are other devices that should be considered as well. The FTC recently released a memo that specifically called out copiers as a potential data leak. These machines are often leased, and then returned to the provider at the end of the lease and replace with a new unit. Many modern copiers had an onboard hard drive that will save copies of scanned images in preparation to fax or email them out. They can also save scanned documents to the network.
Most folks don’t even consider the idea that the copier may contain hundreds of pages of scanned documents with secure or financial data saved on it. Organizations should consider this and ensure that a proper wipe is done on copiers as well before they get replaced.
Cell phones are another area where sensitive data could potentially be stored. Organizations that allow users to access sensitive data on mobile devices should have a solution in place for mobile device management. This will typically restrict where sensitive data is saved on a mobile device to allow for quick and easy removal. If you discover an individual has left your organization, you can send a remote wipe command to the device to destroy all sensitive data. This is also handy in case of theft or loss.
Whats Your Policy?
Your organization should have a policy in place regarding data destruction when recycling older hardware. A process should exist that provides for the complete removal of all company data before that machine leaves your building.
The last thing you want is to find your company data on the discount electronics shelf at the local thrift store.
i.t.NOW offers certified destruction to our managed service clients free of charge. Reach out to us today for assistance better managing your technology.