The number of businesses that unwittingly dispose of computers with confidential data left on them remains remarkably high, despite the long-understood risks of not ensuring the information was permanently removed. Especially surprising is the number of companies that have discarded computers, devices and systems after presuming they took the proper measures to remove all of the data.
A recent study the National Association for Information Destruction (NAID) found that 40 percent of the discarded computers, devices and systems it examined when sold into the secondary markets still contained personally identifiable information (PII) left by the original owners of the hardware. A vast number of computer hard drives, tablets and smartphones still contained personal and corporate PII including credit card data, contact information, user IDs with passwords and tax records.
Among the 250 devices examined, PII was still accessible on 50% of the tablets, 44% of the hard drives and 13% of the mobile phones. In many instances, those selling, donating, trading in or recycling the gear presumed they had adequately scrubbed the systems but failed to use the proper data destruction methods, often just reformatting the drives or using free software.
A University of Cambridge analysis published in June noted that hundreds of millions of devices are expected to be traded in next year that aren’t properly scrubbed. The report pointed to five different Android devices that are subject to problems with factory resets and warns that 500 million Android devices may not be properly sanitized and 630 million removable SD storage cards might also not be properly scrubbed.
Such mistakes can be costly. Once the old gear is in someone else’s hands, the data can be breached intentionally or through an inadvertent security vulnerability. Not only does a business risk their own information being compromised but that of their customers. “Old storage devices can provide access to your confidential information within your business and within your personal accounts,” warned Glenn Laga, President and founder of Guardian Data Destruction, which is a NAID member. “Not only is that dangerous but it could be very expensive.” Over the past decade, a growing percentage of car audio and infotainment systems allow users to sync their music and contact information to the auto’s hard drive and unknowingly trade in their cars presuming none of that data can be retrieved by a new owner, he added.
Estimates of how costly dealing with a breach depends on the number of records effected, mitigation efforts required, whether it becomes public and if legal action is taken. Average costs can range anywhere from hundreds of thousands of dollars to millions and that doesn’t include the reputational impact and potential loss of future business. Besides the financial costs, failing a breach could cost top executives and those deemed responsible, their jobs, Laga said.
The high rate of systems still not properly wiped is noteworthy, given the need to properly do so was established well over a decade ago and the uptick in breaches in recent years. “There is still a tremendous lack of awareness among business leaders as to the breadth and degree of the threat they themselves and their businesses face,” Laga said.
To eliminate any risk of PII getting into the wrong hands, Guardian believes the storage media on any systems discarded should be permanently destroyed, whether it’s hard disk drives for flash-based SSDs. Physically pulverizing the storage media of systems is the most surefire approach to ensuring data won’t resurface. Guardian uses a NSA (National Security Agency) -compliant 2 MM Onsite Solution for Solid State Drive Shredding. With this recent breakthrough in industrial-grade shredder technology, the 2 MM SSD Shredder, is the first mobile shredder that meets the data destruction standards set by the NSA.