In the week of the OPEN MINDS conference on technology, which focuses in part on the future of data security and breach protection, this next item seems highly relevant. It is a story which shows how easy it can be to be the unwitting source of a data breach.
First, let me say this. I have worked in various sectors of the computer industry for many years. So has my lovely and talented wife. This is her story, one she shared with me about an event earlier this week. With her kind permission, I now share it with you. It goes like this…
A wholesaler regularly purchases consignments of returned electrical equipment from a well-known outlet chain. Now, like any consignment purchase, some things are good and some are not, and you don’t know which is which until you unpack the skid. My wife is on a retainer to go through anything computerish (a technical term curiously absent from most spell checkers) and see what still works, and whether it can be fixed. She restores computers to default, resets routers, tests printers, leaps tall buildings in a single bound, that kind of thing. Did I mention, she is talented?
In this particular consignment was a 1 Tb hard drive, which had been returned because it was apparently no longer working. Dead. Using her suite of diagnostic tools, my wife was easily able to identify the problem and fix the drive within thirty minutes, ready for resale. Job, as they say, done.
What she discovered once the drive was functional is of more interest. This once dead drive now leapt to life and divulged the full contents of every file and folder. Those contents consisted of over 350 Gb of business and personal tax accounts going back several years. For the original owner, an accounting firm, had used this drive for making backups of their client data. And all of this highly sensitive data, including addresses and SIN numbers, was now at our feet. Now you see why I am naming no names.
Being ethical and honest, my wife immediately destroyed the data, running several passes and a few formats to ensure complete shredding of every single byte of data, before passing this now harmless drive back to the aforementioned wholesaler. That unnamed accounting firm can rest easy and are blissfully unaware of the potential disaster they narrowly avoided. However, a less ethical person, gaining possession of such a hard drive, would have been in a very good position to leverage all that unsolicited data in all kinds of ways, none of them good.
So here, finally, is the point. Security is often about the things that you don’t think you need to worry about. I am certain the original drive owner had no fears about the data on this drive. They gave no thought to what could happen if it fell into the wrong hands. It was dead, right? Clearly not. Fortunately, this drive landed in the hands of someone that takes such things in their stride as part of their everyday work and knows how to handle it. This is not, I regret to say, the first time something like this has happened.
I have written before about the possible security problem of the hard drive sitting innocently inside your office printer right now. Today I write about a seemingly dead backup drive. The take away here is that any hard drive may still contain data which could source the next data breach headline, and take your business with it.
If your business involves personally identifiable health information, or any other sensitive data for which you are legally and ethically accountable, a breach of which you would not like to see emblazoned in three-inch high letters across your Sunday newspaper, you would be well advised to treat physical security precautions seriously and add them into the rotation for your next security risk analysis.
So, before throwing it away, returning it to the outlet, or even selling your printer, make absolutely certain that you have taken every step you can to ensure that any drives contain zero data. Even the dead ones. And that goes double for any computer upgrades, too, by the way.
Even if you have to disassemble it physically (with, say, a hammer). Even if you have to keep the drives locked in a cupboard, forever. Never underestimate the power of a good computer technician to revive dead equipment, or even to forensically analyse and rebuild files you think securely deleted. After all, many companies make a legitimate living by specializing in data recovery services. In the right hands, almost any drive can be resurrected. She is really talented.
And so are many others. That this drive found itself in the tender care of my tender beloved was a matter more of luck than of any advance planning. In hindsight, I hope we can agree that this is clearly not something anyone would want to leave to chance.
Think about that before you send back or throw away any hard drives. Please.