The hardware assets leaving your organization can be a security risk—even after they’re discarded. Cyber criminals have gone to great lengths to access storage media, even going through landfills. Physical destruction remedies this possibility by reducing hard drives and other storage devices to shreds. However, with 3.4 million tons of e-waste going into landfills every year (according to the U.S. Environmental Protection Agency in 2014), the chance your sensitive data is at risk, is higher than you may think.
Believe it or not, thieves can and do retrieve data after devices are trashed. Here are some ways this is achieved:
Discarded devices from corporations and governments often end up in landfills in countries with little or no environmental regulations. Thieves who know where these centralized locations are have no trouble accessing and sifting through the dumps to find potentially data-rich devices. In 2006, an Idaho Power Company that participated in a hard drive recycling program didn’t wipe their drives. The drives weren’t properly wiped by the ITAD vendor either. Old drives with confidential information, numbering in the hundreds, soon appeared on eBay.
The legitimacy of e-waste recycling services must be addressed with due diligence. In 2014, a company offered free e-waste recycling via an online ad, which prompted a warning from police in Reno, Nevada. Data thieves were posing as e-waste companies, extracting data from desktop computers, laptops, and other data storage devices to access personal information.
Experienced thieves aren’t the only ones who can obtain information from old electronics. For example, in 2006, a New York City woman received a laptop that had been thrown in the garbage. The gift from her friend seemed to be in good condition, except emails to the previous owner kept coming in. Fabrice Tourre, later accused of defrauding investors, was the previous owner of the laptop. The New York Times report on Tourre arose out of information on the computer, which the woman had turned over to the newspaper.
Software-based erasure of data is a challenge for these reasons:
There are few options when it comes to truly protecting sensitive information. Degaussing only works on magnetic storage devices, not on SSDs. On write-only optical media devices, information cannot be erased. Even a discarded Flash drive can be used to recover data after erasure.
Data persistence is a phenomenon that exists in temporary storage devices. Static random-access memory (SRAM) devices are designed to store data so long as there’s a power source; but data persistence has been observed at room temperature. A power supply is also needed by dynamic random-access memory (DRAM) chips.
Without power, data will fade away, but it can still be accessible within a few minutes—and that’s at room temperature. Should a thief store the device in liquid nitrogen, data may persist for up to a week, which is certainly enough time for a cybercriminal to retrieve volumes of sensitive information.
Deletion and overwriting are common forms of data sanitization. Routine methods of deleting data, including moving files to the recycling bin, doesn’t eliminate them permanently. Disk-cleaning software, such as a disk-wiping utility, offers a more permanent and reliable solution. Magnetic hard drives can also be degaussed. A degausser applies a strong magnetic field to destroy stored data. The most effective way to destroy data, though, is complete destruction of the storage media using an HDD crusher or by:
For the highest security applications, hard drives may be melted. This takes data destruction to the ultimate level because no data bits will remain after a hard drive’s scrap metal is thrown into molten liquid. It also eliminates the data exposure risk during transportation, during which storage media may be most vulnerable to data theft.
Some of the largest computing companies have developed innovative solutions to protect sensitive data and the environment. Microsoft once proposed powering a data center with methane from a landfill. It even built a prototype 200kW data center fueled by methane biogas. Google has built six data centers that send no waste to landfills. An Oklahoma facility uses a trash compactor to divert waste, reduce vendor pick-ups, and maintain cleanliness on-site.
Discarded media can increase the risk of data breaches, security standard violations, and uncertainty of your exposure risk. We understand that some organizations require physical destruction of hard drives in addition to, or instead of erasure with software. In such cases, we recommend having destruction options on site. This can help safeguard your chain-of-custody security by reducing the drive's touch points until it can be properly destroyed
To learn more about your data destruction options, contact us online or call WhiteCanyon Software at 1.801.224.8900 today.