Lessons not learned on data disposal
Faculty of Computing, Health and Science
School of Computer and Security Science / Centre for Security Research
There has been a great deal of media attention paid to high profile losses of data such as the UK HR Revenue and Customs (HMRC) loss of the personal records of 25 Million people in 2CDs, the TJX (the parent company of TJ MAXX) loss of 40 million customer account records and the U.S. Department of Veterans Affairs (VA) loss of information on more than half a million people. While these spectacular failures are certainly newsworthy, they have in some ways diverted attention from the underlying issues. What remains almost unreported is the levels and types of information that are given away on a daily basis when equipment that contains digital storage media such as computers, Personal Digital Assistants (PDAs), mobile phones, etc. is disposed of at the end of its useful life.
Over the last four years research has been carried out to determine the level of information that individuals and organisations inadvertently give away when they dispose of computers and hand-held devices such as mobile (cell) phones, RIM Blackberries and PDAs. This research has been carried out by an industry/academic collaboration led by British Telecommunications with academic partners at Edith Cowan University in Perth, Australia, the University of Glamorgan in Wales and Longwood University in Virginia, USA.
The results of the research, which has now examined more than 1000 computer disks and 160 hand-held devices, have provided an insight into the very poor protection that both organisations and individuals give to data when they dispose of these types of equipment. It has given an indication of the effect that the availability of this information is likely to have in causing data breaches and will provide personnel involved in incident response and management with indicative data of the type of information that may be lost in an incident and allow them to plan suitable measures to mitigate the effects. It will also be of interest to those involved in digital forensics as it provides an indication of the likelihood of information being available on devices being examined and the steps that have been taken in attempts to remove it.