Winner BT Security News Story of the year award 2006
Identity thieves are gleaning personal information from scrapped computers. Peter Warren reports on just how insecure our sensitive data really is.
Bill Kerridge is a North Shields publican who runs an award-winning pub in the Tyneside Town and whose daughter is a talented gymnast. Normally, Kerridge would be happy for the readers of a national newspaper to know those details, only he is not because along with a wealth of other information relating to his family, it was recovered from a computer hard drive bought off the internet via eBay that the Kerridges knew nothing about.
The news that such personal information about his family holidays, his eldest daughter’s training regime, details of his business and of other members of his family – which was recovered as part of an investigation by BT and data destruction specialists Life Cycle Services, carried out by researchers at Glamorgan University – has profoundly shocked Kerridge.
Richard Martin, 53, was another individual who felt the same way. A hard drive from a personal computer that he had thought he had disposed of properly yielded highly personal letters relating to his financial affairs including details of bank accounts and insurance claims.
All of which is potential gold dust for the UK’s fastest growing crime trend, identity theft.
“I think that this is shocking, that there is information like this going around about my family,” Kerridge says. “Basically I think that there should be a lot more information made available to people on how to destroy the data on their computers. I wouldn’t know the first thing about how you would go about destroying this data.”
Martin had given his computer to the IT department of Man Trucks, the company he was working for, and asked them to destroy it. Both Kerridge and Martin are fairly typical of the bulk of the UK population who see the value of new technology in the computer rather than the data it is able to process, obtain and retain.
A potentially fatal error given the close relationship that now exists between ourselves and computers, as the Kerridge’s case has proved.
As the university’s forensic team conducted the research, it peeled back the layers on the disk. Web searches, phone numbers of employees, email conversations with family friends and details of their daughter’s boyfriends – all spilled onto the university computers.
There was enough data for a would-be identity thief to garner more information by ringing up those people identified and “socially engineer” more relevant details.
In the case of Rob Morris, a 38-year-old IT worker from Swindon, it could have been even more damaging. Details of his mobile phone account were found on a disk that had been disposed of by Vodafone – which bought the company he worked for, Cellular Operations, in 2003.
According to Morris, Cellular Operations also held crucial personal details such as his date of birth and credit card records on the diskarded disk.
“When Cellular Operations was taken over by Vodafone they were only interested in the subscriber base – they got rid of the buildings, the computers and the people,” he says. “It’s a bit worrying that a company like Vodafone has not disposed of it properly.”
It is also potentially illegal and could lay Vodafone open to prosecution by anyone who finds that poor safeguards on their personal data have led to any loss from ID thieves or hackers – a risk highlighted by the Information Commissioner, Richard Thomas, in his annual report last May.
“My office has exposed an alarming trade in illegally obtained personal information,” he said. “Impersonation and bribery are used to get inside information ranging from car registration details to bank records.”
Being careless with personal information also breaks the Data Protection Act, a point forcibly made by a spokeswoman for the Information Commissioner.
She says: “With the widespread use of technology and the constant updating of systems, it is imperative that information about individuals is kept secure at all times, which is why we have the DPA.”
Despite this, the BT and Lifecycle Services research uncovered huge amounts of company information from Man Trucks, a German transport manufacturer with its UK headquarters in Swindon.
The company, which has a worldwide workforce of 58,000 and sales of €14.7bn, had again disposed of hard drives from computers that contained highly detailed company information including personal details on staff payroll, internal contact details, internal planning and strategy documents, written warnings to staff plus copies of invoices and orders.
Sufficient information had also been recovered on the company’s computer network to allow the multinational to be effectively hacked, and indeed one disk appeared to show that a Trojan had been installed on the computer of one manager. “A Trojan program is one that lets a hacker siphon information out of a computer and the Man Truck disk that we looked at showed that the computer had been turned into a server that was using port 8182, which is very unusual,” said Dr Andrew Blyth, who oversaw the Glamorgan research.
Which is just the sort of insight Blyth was hoping that the cast-off computer hard drives would turn up.
“This fits in with ongoing research that is being carried out here by out specialist forensics team into the business and personal impact of people not disposing of their data properly,” he said.
“People have got the message with personal information and how they should use it online, but they have not got the idea with the electronic information that is stored on their computers. They think that when they hit delete that the data fairy comes along and the information is wiped off forever.”
The research – which was based on 317 computer hard drives obtained from the UK, North America, Germany and Australia – showed just how many people believe in the data fairy: though 41% of the disks were unreadable, 20% contained sufficient information to identify individuals, 5% of the disks held commercial information on organisations ranging in the UK from Man Trucks to Easington Council, and included records of a Children’s Day Care centre.
There was also illegal information with 5% of the disks holding “illicit data” and 1% of the disks bearing paedophile information. As a result, a criminal investigation has been launched in South Wales and another one in Australia.
“This is the second time we’ve done this research and it shows that businesses are neither taking adequate precautions nor meeting their obligations,” said Dr Andrew Jones, BT Exact’s head of technology research. “Given the rise in ID theft we need to do better, and finding out things like that is the point of the research.”
Just how compromising and thorough the information stored on computers can be was demonstrated by data obtained from disks belonging to Port Weller Dry Dock, a Canadian ship building company.
On the drives was information that showed the company had details on a bid for the US Navy’s top secret DD21 destroyer programme, part of a US defence programme intended to equip the US navy for the 21st century.
There were also details that compromised one company employee, showing him to be a closet transvestite and potentially leaving him open to blackmail – once again showing just how intimate the relationship with our computers has become. Other drives from Port Weller also contained even more compromising sexual information.
Jon Godfrey, managing director of Life Cycle Services, which recycles computers and destroys any data left on them, says: “The thing about computers is that they hold a complete personal profile on you and they compile it over a number of years and then people just throw them away with that slice of their lives on them.
“People get worried about losing data on computers but they don’t realise that erasure is as important as retention. The survey shows that the commercial sector is still chronically ignorant of the destruction and retention of data, and our experience is that the problem is actually worse than the study suggests.”
Story first appeared in The Guardian on the 10th of August, 2006