Can I have your data please? And you can have a massive fine
In 2005, Professor Andrew Blythe at the University of Wales conducted the first research in the UK regarding how much data is “loose out there” on media. His team purchased 105 hard disks of which 92 were immediately readable. This research “flicked my switch” and made me passionate about destroying data.
One disk came from a well-known auction site for £5 and contained an entire children’s database with all their personal details. I was appalled – if my children had been on that, I would have got very cross with those responsible for revealing such data in the open, which could have been used in many criminal ways. The school used a flaky outfit that didn’t have the ability to erase and / or destroy the data on the disks and needed the money – thus a massive threat.
Disposal of data
So, all data is sensitive? On all media? How do you deal with yours? Do you really know it is has “gone”? I know of large organisations using companies with no approvals, no credentials, no approved equipment, no approved procedures and no security – why are these corporations that should know better doing this?
Destruction, erasure, wiping, disposal, shredding: many different words for getting rid of data. As long as it is done properly and permanently the semantics don’t really matter. However, erasing a disk is better if is it done thoroughly, so that the disk can be reused. This is far better for the environment and compliance, especially the little known PAS141. It is also costs less.
Many organisations forget that if they erase their hard disks (drives) a percentage, possibly up to 15%, will not erase using software. The device still has data on it and then needs to be destroyed – this practice is not employed by some organisations and so a threat is present.
Devices carrying data
The volume of data bearing devices and media is now extraordinary, ranging from old floppy disks, USB sticks, CDs, mobile phones, PDAs, to micro hard disks located in communications equipment and the Printed Circuit Boards (PCB). Many of these are simply not addressed. CCTV media is an example and, indeed, photocopier hard disks.
Did you know that in many print devices and most photocopiers there are hard disks? I bumped into a solicitor friend of mine and he told me about his new photocopier: I asked him what he did with the hard disk in his old one. He started to root to the spot and go very pale and asked why? I mentioned that all the photocopying of his for maybe the last year would be on the disk. I am sure I don’t have to spell out what trouble there could be if someone used the data on the disk. Not all photocopiers have big hard disks.
A free service?
Just recently an NHS customer told me about a service they were offered for FREE. This was for all recycling and disposal of data. The essence of free: 1) no responsibility, 2) no guaranteed service, 3) no proper controls to destroy data, 4) massive security risk.
Would you give all of your company data – customers, suppliers, profit margins, or maybe for the police – mission data, informants, undercover cops’ home addresses, family members – all to someone who is charging nothing to get rid of the data? I suspect your “risk appetite “ is not so bold once you know the truth.
Just recently Surrey NHS got a massive fine for data being revealed – another classic FREE service ?
As one NHS IT manager said to me, “I can’t afford free, it is too expensive”.
Make sure you do it properly. I once was “attacked” when a company told me my £10,000 loan approval had come through and would I confirm some details. They only needed me to be slow and provide two details and I would have lost £10,000 via a loan. The data was “mislaid” by a famous organisation and the baddies got hold of it.
Some scam eh?
Get rid of your data properly otherwise it could be you, your family or your organisation paying for it dearly.
W R Osborne MBCI MMS
Information Assurance Consultant
www.ultratec.co.uk
