Posts

5 Questions to ask your Data Destruction Company

When you replace your computers, what happens to the data on them? With increased legal scrutiny and identity theft protections, it is important for you to know exactly what happens to the information on your end of life computers. Some companies prefer to keep this responsibility in-house, using tools like Blancco, KillDisk, or dBan. Software drive wiping can take a long time, and if you have a large number of machines to wipe, dedicating an employee to wipe drives can be costly. Read more

Buy a used hard drive on eBay, get government secrets for free!

Imagine it, you purchased a computer on eBay, plug it in, and find top secret missle defense secrets. What would you do? This is the situation a research group at Longwood University found themselves in after purchasing a used hard drive from the popular auction site.

This hard drive reportedly contained files from Lockheed Martin, a large US military contractor. The data recovered included: test launch procedures for the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system, security policies, blueprints of facilities and social security numbers for individual employees.

A representative from Lockheed Martin is quoted in the article as saying:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

Fortunately, this drive as purchased as part of a controlled study to see what information could be recovered from used hard drives and did not fall into the wrong hands. The study also uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and Australia by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.

A spokesman for the project said they found 34 per cent of the hard disks scrutinized contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organization.’

Even though the information in this case did not fall into the wrong hands, this story illustrates the importance of having a controlled data destruction process in every organization. Ask yourself this: can you track every computer, every hard drive after it is pulled from production? Do you know for a fact that every hard drive is wiped or destroyed? If you cannot answer yes to both questions, you owe it to yourself to work with a vendor that can fill this gap.

A hat tip to ExportLawBlog for their analysis of the incident.

The DDRV is heading to Texas… YeeHaw!

This Saturday, Josh & Dan are headed to Texas in DDRV 2. They’ll be heading through several major cities from St. Louis, including Oklahoma City, San Marcos and Austin, Texas, shredding thousands of hard drives as they go. It’s always an adventure with these two, so I’m looking forward to hearing what Josh will Twitter about.

Stimulus Bill significantly modifies HIPAA regulations

Buried within the huge American Recovery and Reinvestment Act (a.k.a, the “Stimulus Bill”) are a few changes to HIPAA’s Privacy and Security Rules, increasing the scope of coverage to include Business Associates. This means data security providers, contractors, and partners can be directly fined for informational security breaches that occur on their watch. The bill also increases the penalties for some of the violations.

Previously, Business Associates were required to comply only with a written business associate agreement. Now Business Associates are subject to many of the same requirements hospitals and medical providers are. They will be required to appoint a security official, develop written policies and procedures pertaining to data leakage, and training its workforce in electronic data protection.

In addition, breach notification requirements were increased. If a breach occurs, the specific business entity that has the breach will be required to notify every individual affected by the security breach. If current contact information is not available, the entity may be required to post notification on their website or in some other broadcast medium (television, newspapers). The bill also provides for the creation of a website by the Health and Human Services department to list information about these breaches.

Source: Stimulus Bill dramatically modifies HIPAA rules

Data Destruction: Is One Pass Overwriting Enough?

There is some controversy regarding data destruction in the IT industry, some vendors claim that no software writing solution is secure, and only firmware level erasing, like Secure Erase, is certifiable. Others go further and say that only physical destruction is enough. The DoD spec calls for either a 3 pass or a 7 pass wipe, and NIST has stated:

Studies have shown that most of today’s media can be effectively cleared by one overwrite.

Popular TV shows like Numb3rs show scientists able to recover data from drives even after they have been wiped. There are probably as many standards to wipe data from hard drives as there are companies providing solutions. When is it enough? EPC as a company has standardized on the 3 pass DoD wipe as it is well recognized in the IT industry and it is a relatively fast process. Read more