|
|
|
Company secrets sold on eBay |
|
|
|
Business
|
|
Written by Peter Warren
|
|
Tuesday, 17 May 2005 |
Story bought by The Times, Daily MIrror, Computing
The personal records of school-children and the passwords and user
names of top company executives and academics have been discovered in a
survey into the destruction of computer data.
The investigation by the University of Glamorgan ’s Information
Security Research Group, which involved the analysis of over a 100 hard
drives mainly obtained from E-bay, discovered the routine disposal by
universities, multi-national companies and individuals of equipment
holding personal data in a clear breach of the Data Protection Act.
The office of the Information Commissioner, which is responsible for
policing the disposal of data, says it will be tough with any
organisations responsible for lax computer security practices.
"It is essential that companies have appropriate procedures in place to
ensure that personal records on computer hard drives are rendered
unrecoverable when they dispose of computer equipment. Under the Data
Protection Act companies have a duty to store personal information
securely and delete it when it is no longer required," said Assistant
Commissioner Phil Jones.
The results of the Glamorgan experiment have also disturbed the
National Hi-Tech Crime Unit because the final destination for much
second-hand computer equipment are countries such as Russia and Nigeria
- where technology crime gangs are known to be operating
"This research demonstrates just how easy it is to access information
which is not adequately protected. Encryption and other security
measures are vital to ensure that security is not compromised -
something as simple as a hard disk drive password can deter the
opportunist. Companies have a duty of care to their customers and
employees to ensure that information they hold is managed
appropriately," said Tony Neate, Industry Liaison Manager at the NHTCU.
In two cases, involving Scottish and Newcastle which boasts operations
in 14 countries and the Swedish based international insurance group
Skandia, sufficient information was discovered to allow the security of
both organisations to be breached.
In the case of both companies the data obtained, which included staff
records, passwords, internal emails and highly detailed financial data,
was less than a year old.
There was also sufficient data from both organisations to allow a
hacker to map the computer systems of the companies in sufficient
detail to make an attack on them very likely to succeed according to
experts.
“On at least seven of the disks that I have been seen there was enough
information to allow a hacker to get into an organisation,” said Dr
Andy Jones, Security Research Group Leader for BT Exact and author of
Risk Management, who examined the disks.
“The data that was there lets a hacker understand what’s behind a
firewall and what they need to do to get in but as there were passwords
and user names there, then they were through and that’s game over.
More worrying still was the presence of extremely detailed personal
information on pupils from a Church of England Primary School in East
Yorkshire, including school reports, an extensive list of pupils,
personal letters regarding particular children to parents and
psychological information.
The Glamorgan exercise ironically also turned up data from Hull
University, Southampton University and Harrow College. This
information, which would also have allowed access in the case of the
universities to central systems, also contained emails written by a
woman conducting an affair and details of special interest sex sites
visited by individuals using the computers.
In the case of one of the universities a document template for the
university’s degrees was discovered, while open access to both of the
systems also raises the prospect of examination papers being accessed
by outsiders.
“I suppose the single most striking thing that came out of this was
that companies and organisations that are meant to be data wiping are
not,” said Dr Andrew Blyth, head of the ISRG.
According to Blyth sufficient information had been recovered on
individuals to blackmail them, adding that his group had only looked at
a small proportion of the data
“On the disks that we looked at we only focussed in on certain areas
because there was too much data,” said Blyth, who highlighted the case
of the primary school as being particularly disturbing.
“I would be horrified if that information was about my child. The
personal details that were on there could easily have been used by a
paedophile.”
The presence of the primary school data is in direct contravention of
the guidelines issued to schools by the British Educational
Communications Technology Agency, in Data Protection a summary for
schools.
“An aspect of data security that can be overlooked relates to the
disposal of computing equipment. Schools have legal responsibilities
for the personal data which will be on hard disks (including things
like email and passwords). Just deleting files or even formatting the
disk is not sufficient since widely available software programs can
recover some or all of the information.
“Schools are advised to check that the organisation to which any
equipment may be given will provide a warranty that they also securely
erase all disks. It is advisable to consult your local technical guide
for advice in these areas. If the disks contain particularly sensitive
information then the industry recommendation is that they should be
physically destroyed by fire or smashing them.”
Government concern over the issue of data destruction has led to it
issuing guidance in the shape of InfoSec Standard 5, a list of
recommendations from the Communications Electronics Security Group, the
information assurance arm of GCHQ, that were designed for Government
and considered best practice
Concern that has come about according to Bryan Glick, Managing Editor
of Computing newspaper due to impending European legislation on the
disposal of computer equipment.
“The new EU directives mean that computers will have to be disposed of
in an environmental manner which means that it is increasingly likely
that unwanted computers will be sold rather than thrown away.
“It’s ironic that while there is a huge focus on computer security that
something as basic as disposing of computers with important data on
them does not receive more attentions,” said Glick
From a computer security point of view the Glamorgan experiment
demonstrated both a woeful knowledge of the law relating to the
destruction of personal information and a widespread ignorance of how
to get rid of an individual’s details, as an unsuccessful attempt had
been made to try to destroy the data on 47% of the disks.
Of the 100 disks obtained over 50% contained personal information and
over 56% held information that allowed organisations to be identified
with user names and passwords also being recovered.
According to Blyth, Glamorgan used the most basic methods to recover the information from the disks.
“Everything that we did could have been done by an individual with a
little bit of know how and some freeware that is easily obtained from
the web,” said Blyth.
The fact that most of the data recovered was relatively recent, the
oldest documents were only two years old, is also seen as a worrying
lapse by those responsible for the information’s destruction.
As a control experiment 10 disks included in the survey were sourced
without its knowledge from LCS Remploy, a company specialising in the
destruction of data, all of LCS Remploy’s disks had been completely
wiped, a result that clearly pleased Jon Godfrey, the company’s
managing director.
“When you told me I was relieved to put it mildly, but there’s a very
serious side to this because the survey means there must be a lot of
organisations putting there data out into the public domain.
“It only costs £3 to wipe a disk properly and there’s a core business
risk in this because the kit from the Y2K boom has now come onto the
market and has driven prices down and the demand for this equipment is
now Eastern Europe, India, Pakistan, Nigeria and parts of Asia.”
A spokesman for Monsanto, the controversial US company involved in the
production of genetically modified plants, whose corporate data was
also discovered on one hard drive, confirmed that the company would be
launching an investigation into how details of its crop research leaked
from its Cambridge offices.
“We’re grateful that this has been brought to our attention. It appears
that a serious lapse in our procedures for the disposal of surplus IT
equipment has occurred.
“We assume this is an isolated incident which arose during the
restructuring of our Cambridge offices when a number of IT items were
disposed of at the end of their working lives.”
According to the Scottish and Newcastle spokeswoman a spate of lap-top
thefts have hit the company recently that it had reported to the police
and these were blamed for the incident though no lap-top drives were
analysed in the experiment.
Scottish and Newcastle then stated that the computers were part of
Scottish and Newcastle Retail since sold to the Spirit Company and that
S&N was not responsible for the disposal of the data.
A spokeswoman from the Swedish insurance giant Skandia, which has
invested heavily in data destruction but whose data was found on one
hard drive welcomed the investigation.
“This is not embarrassing for us it’s absolutely horrifying. We pay to
have our data wiped thoroughly so we are going to have to investigate
this to discover how it happened and make sure that it does not happen
in the future.”
Southampton University, whose information was also discovered on other
hard drives including passwords, staff emails and names confirmed that
it too had launched an investigation.
'The University has rigorous procedures in place to ensure the
destruction of all data stored on redundant computer equipment. We are
therefore disturbed by the news that information about the University's
School of Physics and Astronomy has been found on hard drives and will
be investigating how this might have occurred.
'Where a computer is to be disposed of rather than used elsewhere
within the University, staff in the school or department concerned are
asked to clear the hard disk. A specialist external company then
undertakes an industry standard hard disk wipe on our behalf, before
disposing of the equipment in accordance with appropriate EU and UK
directives. This policy applies throughout the University, including
the School of Physics and Astronomy. We need to find out what happened
and ensure that it doesn’t happen again,” said a spokeswoman.
A spokeswoman from Hull University confirmed that it was investigating
the claims to determine whether the computers holding the data had
belonged to the university.
Story - used by
The Times, http://www.timesonline.co.uk/article/0,,2-1487674,00.html
The Daily Mirror,
http://www.mirror.co.uk/news/allnews/tm_objectid=15198429&method=full&siteid=50143&headline=secrets-for-sale-on-name_page.html
BBC Breakfast,
Times Online, http://www.timesonline.co.uk/article/0,,2-1487674,00.html
BBC Online, http://news.bbc.co.uk/1/hi/wales/4272395.stm
Press Association,
The Scotsman, http://news.scotsman.com/latest.cfm?id=4144685
Manchester Evening News, http://www.manchesteronline.co.uk/news/s/146/146615_secrets_for_sale_in_ebay_disks_auction.html
The Register, http://www.theregister.co.uk/2005/02/17/hard_drive_data/
The Inquirer, http://www.theinquirer.net/?article=21308
What PC http://www.whatpc.co.uk/analysis/1161310
IT Week, http://www.itweek.co.uk/analysis/1161310
Help Net Security http://www.net-security.org/news.php?id=7173
|
|