Imagine it, you purchased a computer on eBay, plug it in, and find top secret missle defense secrets. What would you do? This is the situation a research group at Longwood University found themselves in after purchasing a used hard drive from the popular auction site.
This hard drive reportedly contained files from Lockheed Martin, a large US military contractor. The data recovered included: test launch procedures for the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system, security policies, blueprints of facilities and social security numbers for individual employees.
A representative from Lockheed Martin is quoted in the article as saying:
Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.
Fortunately, this drive as purchased as part of a controlled study to see what information could be recovered from used hard drives and did not fall into the wrong hands. The study also uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.
The drives were bought from the UK, America, Germany, France and Australia by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.
A spokesman for the project said they found 34 per cent of the hard disks scrutinized contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organization.’
Even though the information in this case did not fall into the wrong hands, this story illustrates the importance of having a controlled data destruction process in every organization. Ask yourself this: can you track every computer, every hard drive after it is pulled from production? Do you know for a fact that every hard drive is wiped or destroyed? If you cannot answer yes to both questions, you owe it to yourself to work with a vendor that can fill this gap.
A hat tip to ExportLawBlog for their analysis of the incident.