The personal records of school-children and the passwords and user names of top company executives and academics have been discovered in a survey into the destruction of computer data.
The investigation by the University of Glamorgan ’s Information Security Research Group and Future Intelligence, which involved the analysis of over a 100 hard drives mainly obtained from E-bay, discovered the routine disposal by universities, multi-national companies and individuals of equipment holding personal data in a clear breach of the Data Protection Act. The office of the Information Commissioner, which is responsible for policing the disposal of data, says it will be tough with any organisations responsible for lax computer security practices.
“It is essential that companies have appropriate procedures in place to ensure that personal records on computer hard drives are rendered unrecoverable when they dispose of computer equipment. Under the Data Protection Act companies have a duty to store personal information securely and delete it when it is no longer required,” said Assistant Commissioner Phil Jones.
Police disturbed by findings
The results of the Glamorgan experiment have also disturbed the National Hi-Tech Crime Unit because the final destination for much second-hand computer equipment are countries such as Russia and Nigeria – where technology crime gangs are known to be operating
“This research demonstrates just how easy it is to access information which is not adequately protected. Encryption and other security measures are vital to ensure that security is not compromised – something as simple as a hard disk drive password can deter the opportunist. Companies have a duty of care to their customers and employees to ensure that information they hold is managed appropriately,” said Tony Neate, Industry Liaison Manager at the NHTCU.
In two cases, involving Scottish and Newcastle which boasts operations in 14 countries and the Swedish based international insurance group Skandia, sufficient information was discovered to allow the security of both organisations to be breached.
In the case of both companies the data obtained, which included staff records, passwords, internal emails and highly detailed financial data, was less than a year old.
There was also sufficient data from both organisations to allow a hacker to map the computer systems of the companies in sufficient detail to make an attack on them very likely to succeed according to experts.
“On at least seven of the disks that I have been seen there was enough information to allow a hacker to get into an organisation,” said Dr Andy Jones, Security Research Group Leader for BT Exact and author of Risk Management, who examined the disks.
“The data that was there lets a hacker understand what’s behind a firewall and what they need to do to get in but as there were passwords and user names there, then they were through and that’s game over.
School children’s records discarded
More worrying still was the presence of extremely detailed personal information on pupils from a Church of England Primary School in East Yorkshire, including school reports, an extensive list of pupils, personal letters regarding particular children to parents and psychological information.
The Glamorgan exercise ironically also turned up data from Hull University, Southampton University and Harrow College. This information, which would also have allowed access in the case of the universities to central systems, also contained emails written by a woman conducting an affair and details of special interest sex sites visited by individuals using the computers.
In the case of one of the universities a document template for the university’s degrees was discovered, while open access to both of the systems also raises the prospect of examination papers being accessed by outsiders.
“I suppose the single most striking thing that came out of this was that companies and organisations that are meant to be data wiping are not,” said Dr Andrew Blyth, head of the ISRG.
According to Blyth sufficient information had been recovered on individuals to blackmail them, adding that his group had only looked at a small proportion of the data
“On the disks that we looked at we only focussed in on certain areas because there was too much data,” said Blyth, who highlighted the case of the primary school as being particularly disturbing.
“I would be horrified if that information was about my child. The personal details that were on there could easily have been used by a paedophile.”
The presence of the primary school data is in direct contravention of the guidelines issued to schools by the British Educational Communications Technology Agency, in Data Protection a summary for schools.
“An aspect of data security that can be overlooked relates to the disposal of computing equipment. Schools have legal responsibilities for the personal data which will be on hard disks (including things like email and passwords). Just deleting files or even formatting the disk is not sufficient since widely available software programs can recover some or all of the information.
“Schools are advised to check that the organisation to which any equipment may be given will provide a warranty that they also securely erase all disks. It is advisable to consult your local technical guide for advice in these areas. If the disks contain particularly sensitive information then the industry recommendation is that they should be physically destroyed by fire or smashing them.”
Government concern over the issue of data destruction has led to it issuing guidance in the shape of InfoSec Standard 5, a list of recommendations from the Communications Electronics Security Group, the information assurance arm of GCHQ, that were designed for Government and considered best practice
Concern that has come about according to Bryan Glick, Managing Editor of Computing newspaper due to impending European legislation on the disposal of computer equipment.
“The new EU directives mean that computers will have to be disposed of in an environmental manner which means that it is increasingly likely that unwanted computers will be sold rather than thrown away.
“It’s ironic that while there is a huge focus on computer security that something as basic as disposing of computers with important data on them does not receive more attentions,” said Glick.
Woeful lack of legal knowledge relating to technology
From a computer security point of view the Glamorgan experiment demonstrated both a woeful knowledge of the law relating to the destruction of personal information and a widespread ignorance of how to get rid of an individual’s details, as an unsuccessful attempt had been made to try to destroy the data on 47% of the disks.
Of the 100 disks obtained over 50% contained personal information and over 56% held information that allowed organisations to be identified with user names and passwords also being recovered.
According to Blyth, Glamorgan used the most basic methods to recover the information from the disks.
“Everything that we did could have been done by an individual with a little bit of know how and some freeware that is easily obtained from the web,” said Blyth.
The fact that most of the data recovered was relatively recent, the oldest documents were only two years old, is also seen as a worrying lapse by those responsible for the information’s destruction.
As a control experiment 10 disks included in the survey were sourced without its knowledge from LCS Remploy, a company specialising in the destruction of data, all of LCS Remploy’s disks had been completely wiped, a result that clearly pleased Jon Godfrey, the company’s managing director.
“When you told me I was relieved to put it mildly, but there’s a very serious side to this because the survey means there must be a lot of organisations putting there data out into the public domain.
“It only costs £3 to wipe a disk properly and there’s a core business risk in this because the kit from the Y2K boom has now come onto the market and has driven prices down and the demand for this equipment is now Eastern Europe, India, Pakistan, Nigeria and parts of Asia.”
Companies shocked by data loss
A spokesman for Monsanto, the controversial US company involved in the production of genetically modified plants, whose corporate data was also discovered on one hard drive, confirmed that the company would be launching an investigation into how details of its crop research leaked from its Cambridge offices.
“We’re grateful that this has been brought to our attention. It appears that a serious lapse in our procedures for the disposal of surplus IT equipment has occurred.
“We assume this is an isolated incident which arose during the restructuring of our Cambridge offices when a number of IT items were disposed of at the end of their working lives.”
According to the Scottish and Newcastle spokeswoman a spate of lap-top thefts have hit the company recently that it had reported to the police and these were blamed for the incident though no lap-top drives were analysed in the experiment.
Scottish and Newcastle then stated that the computers were part of Scottish and Newcastle Retail since sold to the Spirit Company and that S&N was not responsible for the disposal of the data.
A spokeswoman from the Swedish insurance giant Skandia, which has invested heavily in data destruction but whose data was found on one hard drive welcomed the investigation.
“This is not embarrassing for us it’s absolutely horrifying. We pay to have our data wiped thoroughly so we are going to have to investigate this to discover how it happened and make sure that it does not happen in the future.”
Southampton University, whose information was also discovered on other hard drives including passwords, staff emails and names confirmed that it too had launched an investigation.
‘The University has rigorous procedures in place to ensure the destruction of all data stored on redundant computer equipment. We are therefore disturbed by the news that information about the University’s School of Physics and Astronomy has been found on hard drives and will be investigating how this might have occurred.
‘Where a computer is to be disposed of rather than used elsewhere within the University, staff in the school or department concerned are asked to clear the hard disk. A specialist external company then undertakes an industry standard hard disk wipe on our behalf, before disposing of the equipment in accordance with appropriate EU and UK directives. This policy applies throughout the University, including the School of Physics and Astronomy. We need to find out what happened and ensure that it doesn’t happen again,” said a spokeswoman.
A spokeswoman from Hull University confirmed that it was investigating the claims to determine whether the computers holding the data had belonged to the university.
FI exclusive story appeared in:
The Times, http://www.timesonline.co.uk/article/0,,2-1487674,00.html
The Daily Mirror, http://www.mirror.co.uk/news/allnews/tm_objectid=15198429&method=full&siteid=50143&headline=secrets-for-sale-on-name_page.html
Times Online, http://www.timesonline.co.uk/article/0,,2-1487674,00.html
BBC Online, http://news.bbc.co.uk/1/hi/wales/4272395.stm
The Scotsman, http://news.scotsman.com/latest.cfm?id=4144685
Manchester Evening News, http://www.manchesteronline.co.uk/news/s/146/146615_secrets_for_sale_in_ebay_disks_auction.html
The Register, http://www.theregister.co.uk/2005/02/17/hard_drive_data/
The Inquirer, http://www.theinquirer.net/?article=21308
What PC http://www.whatpc.co.uk/analysis/1161310
IT Week, http://www.itweek.co.uk/analysis/1161310
Help Net Security http://www.net-security.org/news.php?id=7173
Eventually well over 500 publications and counting followed up FI research