A UK data security service company reports a survey, carried out by the University of South Wales’ Computer Forensics Lab. It’s suggested that most hard drives purchased online contained personal data.
Letchworth-based Ultratec specialise in erasing or destroying data from electronic media. In the wake of a £200,000 fine levied against NHS Surrey by data regulators for the loss of more than 3000 patients’ sensitive information – featured in the August print issue of Professional Security Magazine – it commissioned Prof Andrew Blythe at the Computer Forensics Lab, University of South Wales to find out if hard drives purchased online contained any data. The point of the study; to assess consumer and seller awareness in the wake of high-profile data security scandals involving public and private sector bodies using computers.
The study found that although most consumers are more aware of the risks associated with data security, many companies offering products on auction sites are still ignoring the potential consequences and selling hard drives containing personal and/or corporate data.
Looked at were IT parts resellers and recyclers who use online auction sites to sell their drives or computers. Some drives were purchased as having been wiped or erased and others were purchased as defective.
Each hard drive was examined by Prof Blyth and staff at the University of South Wales. Ultratec describes the results as shocking; even hard drives which have been allegedly ‘wiped’ still contained personal and sensitive data.
Prof Blythe said, “Ultratec, considered by many to be leaders in the field of data destruction, commissioned an independent study in 2012 to find out if hard drives purchased online contained any data. We approached Ultratec as they have demonstrated how to correctly destroy data on millions of disks over a 17 year period. This is something that cannot be taken lightly and we wanted to see if others had the same expertise, commitment and results.
Ultratec’s Information Assurance Consultant Bill Osborne is on the advisory council of the Asset Disposal and Information Security Alliance (ADISA). He said: “There is no doubt that this investigation has thrown up some very troubling findings. It highlights the very real threat of data security and shows that there is still a long way to go until sensitive data removal is approached correctly by the majority.”
The report into the investigation’s findings states, “There appear to be a number of disks containing a mixture of corporate and personal data. This suggests that either the user is working on corporate data on a home system, which raises security issues, or the user is carrying out personal activities on corporate systems, which could also raise concerns. For example six of the 125 hard drives contained pornographic material but of the six hard drives, one could be determined as originating from a corporate environment.”
Ultratec points to an increased international push to reduce data offences and safeguard sensitive information. In the UK, the Information Commissioner is seeking custodial sentences for serious data offences and potential fines of up to 2pc of global turnover, arguing that the current limit on fines of £500,000 is not sufficient and tougher penalties including prison sentences are needed. The custodial sentences, first introduced by the Criminal Justice and Immigration Act 2008, require activation by secondary legislation. This is expected to be debated after the recent Directive on Network and Information Security proposed by the EU.
The full report will be published later this year. Find out more.
About Ultratec
Established in 1996, Ultratec offers hard disk erasure, repair, recovery of data and the secure disposal of hard disk and tape media. The Services Division specialises in Secure Data Erasure (hard disks) and Destruction of data on all media, at all levels of security – on or off site. Ultratec is fully compliant with HMG Security Policy Framework Mandatory Requirement 45.
