The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help people securely delete personal information from their old devices.
The ICO says that it will also be publishing more detailed guidance for organisations shortly. The ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65pc of British adults now hand on their old phones, computers and laptops to another user, with 44pc giving it away to somebody else for free and around one in five (21pc) selling it to somebody else.
In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet.
The research found that, while half (52pc) of the hard drives investigated were unreadable or had been wiped of data, 48pc contained information and 11pc was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible.
In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details.
All four organisations were contacted and have now taken action to ensure people’s information is securely deleted from redundant equipment, or the equipment is destroyed as necessary. One company – Safe and Secure Insurances Services Limited – have also signed an undertaking to introduce further improvements.
Announcing the report, Information Commissioner, Christopher Graham said: “We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands. Today’s findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices.
“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.
“The ICO has published guidance to help individuals securely delete information stored on their old devices. We hope this publication will help people to take better control of their personal data.”
The ICO also published a survey to coincide with the research project looking at people’s attitudes towards data disposal. The survey suggestss that 65pc of people now hand on their old phones, computers and laptops to another user with 44pc giving it away to somebody else for free and around one in five (21pc) selling it to somebody else.. This figure rises to 31pc of 18 to 24 year olds selling their mobile phone, computer or laptop to somebody else.
The survey also found that one in ten people who have ever disposed of a mobile phone, computer or laptop, said that they had never deleted information held on a device before disposing of it, potentially allowing their data to be accessed by the next person who used it.
Ollie Hart, head of public sector UK and Ireland at IT security product company Sophos made these comments:
“This latest research once again underlies the need for better education around data protection. It’s hard to believe that we’re still seeing this kind of breach, particularly when you consider that four of the hard drives came from organisations rather than individuals and contained information about employees and clients, including health and financial details.
“Further research from the ICO indicates that many users now sell their old devices, a trend that is particularly common among 18 to 24 year olds. With this in mind, it’s critical that education starts at a young age and everyone understands the impact of the data they have.?
“With organisations increasingly facing stricter budgetary pressures, we’re inevitably seeing a rise in the ‘bring your own device’ trend. As the boundaries blur, there is a rising risk of corporate data ending up on personal devices. The more devices we use, meanwhile, the harder it is to keep track of what data we’re storing where. According to Sophos’s own recent research a staggering 96 percent of respondents (IT professionals) do not trust their end users to make sound IT security decisions with 26pc of respondents saying that senior management commits the worst IT security offences, demonstrating that a lack of understanding security policies and best practices can gave a significant impact on IT infrastructure.
“It’s disappointing to see yet another example of organisations either not caring, or not understanding their obligations. Ultimately, it is the responsibility of organisations to ensure that the data they are entrusted with is stored responsibly, whether that be centrally or locally. Everyone should ask themselves three simple questions: Where is my data? Do I have a policy for storing data locally? And have I considered the impact on both my customer and business of storing this data?
Sophos has developed free “IT Security DOs and DON’T materials available to download: www.sophos.com/staysafe.
And Scott Thomas, EMEA marketing director at Condusiv, offered comment in response to the ICO’s statistics:
“These findings came as no surprise. With tools such as Windows Recycle Bin and other supposedly secure methods of deletion, users can often be lulled into a false sense of security when removing unwanted files from their gadgets. In reality, there is a fundamental flaw in the way that certain sensitive information is removed. Hitting ‘delete’ is not enough.
“Businesses today hold a staggering amount of data, and organisations are wising up to the need to store it securely, however this is not always the case with data that is no longer required. Failure to distinguish between files that may need to be recovered and those that should be permanently removed could unwittingly expose passwords, email addresses, bank statements and other vital pieces of information.”
“There are both regulatory and practical consequences of improper file deletion. In practical terms, unnecessarily storing data that is no longer needed takes up capacity and will eventually impact the performance of IT systems. More importantly – and as demonstrated by this research – sensitive data that has not been properly deleted could end up in someone else’s hands and give cybercriminals the tools they need to coordinate an attack. Anybody that is serious about data security should utilise an electronic shredder that not only deletes a file, but overwrites the disk space the file previously occupied – in order to make it virtually impossible for anyone to access the unwanted information.”
