Data left on old computers = data breach in the making

February 20, 2014 |

Failure to scrub data from old computers or from devices at the end of a lease can easily result in a data breach as sensitive information becomes accessible to unauthorised people.  The ICO in the UK has issued guidelines on what should be done (I have posted on this subject here).  With the growth of BYOD and the internet of things this problem will only grow.  It is critical for organisations to have the right protocols and training in place to deal with this potential data time bomb.  In Do you know where you data is? the Sydney Morning Herald highlighted this problem.

The article provides:

Where’s your old computer? Landfill? Being used by Aunt Mary? Can you even remember where it is? How about the computer before that? No idea? Didn’t think so.

So when you gave away the computer – or chucked it out – you did remember to erase all your files? You e-tax records? Your clients’ names and details? Your passwords?

Let’s face it, when we get rid of an old computer few of us bother to make sure all the sensitive information on it has been wiped.

Which means somewhere out there, there’s an awful lot of sensitive data that, if it fell into the wrong hands, could cause pretty serious damage to businesses and the people that run them.

Advertisement

The National Association for Information Destruction, a data protection watchdog agency, has just finished analysing 52 second-hand computers it bought from places such as eBay.

According to the research, 15 of the 52 computers it looked at had highly confidential information on them. Of these, eight computers had once belonged to organisations that should know better when it comes to storing data. Some were law firms located in Queensland and Victoria. Computers once owned by a government medical facility and a community centre were also among the research sample – entities that have an obligation to protect customer data.

NAID CEO Bob Johnson said in a statement: “We randomly purchased 52 recycled computer hard drives from a range of publicly available sources, such as eBay. We then asked a highly reputable forensic investigator, Insight Intelligence, to determine whether confidential information was on those drives. The procedure used to find the information is intentionally very basic and did not require an unusually high degree of technical heroics. Had the data been properly erased, it could not have been found.”

What the private investigator found was a smorgasbord of sensitive information – spreadsheets of clients’ and account holders’ personal information, including names, addresses, account numbers, confidential client correspondence, billing information, and personal medical information such as diagnoses, treatment, and prognoses.

It’s a pretty frightening scenario, given changes to the Privacy Act that come in on 14 March. The new rules mean businesses have more significant responsibilities when it comes to protecting client data. Business owners who are found to have breached the rules face potential jail time.

So what’s the message for small businesses? Aside from calling up Aunt Mary and asking for your computer back, it might be an idea to seek professional advice about erasing the data on your old computers next time it’s time for an upgrade.

Leave a Reply