Data disposal – trash to treasure?
Sensitive data is so casually stored, even discarded, secondhand devices can still lead to exposure. In 2017, the National Association of Information Destruction (NAID) purchased a number of used electronics online for research purposes, and found plenty of personally identifiable information (PII) stored within. More recently, security company ESET bought 16 used routers, only to discover that some of them hadn’t been cleared of their sensitive corporate data.
As is the case with legacy devices, it can often be too easy to overlook proper security for outdated tech. Bad actors are just waiting to pounce upon such chances. In this example, ESET’s findings on the routers included core networking data about the company, application data, corporate credentials, as well as partner, vendor and customer information (22% contained this). This data present on the devices, what is known as a “digital blueprint,” allowed ESET to identify the former owners in many cases. Among these were data centers, third party tech providers, law firms, manufacturing and software companies.
Before these devices were put on the secondary market, one would hope their previous owners would have thoroughly purged any vulnerable data that could lead to future cyber attacks if they fell into the wrong hands. Alas, no such luck.
“We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite,” said an ESET security researcher. Perhaps most surprising of all is the fragmentary response ESET received when alerting a number of these companies to the risk: some were “shockingly unresponsive” to what should be a code red issue. Tantamount to a full on data breach, leaving identifiable information on discard devices should have the entire organization implementing their standard response plan.
Data breaches continue to rise in frequency – even T-Mobile just announced their second breach of the year. What this shows above all is the tireless work cyber criminals put in to steal valuable data for their own profit. And yet, still we see organizations that are careless enough to roll out the red carpet for hackers. Disposal is as crucial a part of the data collection process as any. Failure to do so properly suggests an overall lack of good cyber hygiene throughout a firm. When it comes to get rid of old data or devices, make sure one person’s trash doesn’t become another’s treasure.