Data Breaches from End-of-Life IT Devices: Not ‘If’ but ‘When’

While the age of Big Data has improved our lives in countless ways, there is seemingly an equal number of potential downsides. The exponential rate at which data volume is growing has spawned nonstop cyber-activity intent on using this data for illegal purposes. The danger couldn’t be more extreme – or more real: in today’s internet-dominated world, someone seeking to steal sensitive, confidential or proprietary data (e.g. personally identifiable information) no longer has to physically breach a facility.

It’s important to remember, however, that data theft isn’t limited to online, or cyber, activity. IT assets constitute physical hardware that is likewise vulnerable to theft. Consequently, it’s critical that companies safeguard IT assets throughout the entire lifecycle, including physical destruction to the point of irreversibility. The costs of stolen data can involve monetary fines in the millions of dollars – while the intangible costs associated with reputation damage, identity theft and disclosure of confidential/sensitive information can easily exceed all measurement.

Cyber-Related Data Breaches are Becoming More Destructive…and More Expensive

In mid-2019, the UK’s Information Commissioner’s Office (ICO) set a then-record by fining British Airways $230m for violating the European Union’s General Data Protection Regulation (GDPR). The infamous Magecart group of cyber-criminals hacked into the British Airways system and used just 22 lines of code to harvest personal and payment data for approximately 500,000 customers over a two-week period.

Days later, the ICO slapped Marriott International with a $124m fine after it experienced a breach that compromised over 339 million guest records worldwide during its acquisition of Starwood Hotels & Resorts Worldwide. Marriott reported the breach shortly after its discovery in November 2018 – at which time the attackers had already been in the system for four years.

Perhaps the largest cyber-related theft thus far occurred in 2017, when an unpatched bit of framework in one of Equifax’s databases allowed data associated with approximately 147 million people to be stolen. After discovering the breach, Equifax waited more than a month to report it. The company’s negligence will cost it a penalty in the range of $575m to $700m, after a record settlement in July 2019 with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and all US states and territories.

Waiting for the Inevitable: Physical IT Assets and the Failure to Destroy End-of-Life Data

Given the carelessness with which many organizations, governments, individuals and third-party companies discard IT assets, it’s amazing that catastrophic end-of-life data breaches have not yet occurred. We have previously discussed why a comprehensive in-house destruction plan for end-of-life data is essential, since you simply do not know what happens to data unless your organization has supervised firsthand the entire data life cycle.

There have been several studies conducted over the last several years that highlight how often personal and classified information is found on used hard drives and USB drives – such as a 2019 study from Ontrack and Blancco Technology Group that estimates sensitive data is left on about 42% of used hard drives sold on eBay. Earlier in 2019, researchers at the University of Hertfordshire purchased 100 used USB flash drives in the UK and 100 in the US from eBay; 68% in the US and 67% in the UK contained recoverable data from their previous owners, and more than half of those drives contained sensitive business and personal data.

In 2017, the Channel NewsAsia documentary The Trash Trail tracked the purchase of nine hard drives from various shops at Sim Lim Square in Singapore. The buyers were assured by the shop owners that all drives had been wiped clean and reformatted. The reality was that five of those drives contained sensitive personal information, and one of them contained complete medical records and passport details. Two additional hard drives contained sensitive corporate information.

In 2009, a study conducted by British Telecommunications’ Security Research Centre, the University of Glamorgan in Wales, Edith Cowan University in Australia, and Longwood University in the US examined 300 secondhand hard drives. On those drives was a variety of sensitive information, including trading performance and budget documents of a fashion company, corporate data from a motor-manufacturing company and test launch procedures for the US Terminals High Altitude Area Defense (THAAD) ground-to-air missile system.

In all these examples, imagine what could have happened if that data had fallen into the hands of criminals rather than those of individuals conducting investigative studies. Catastrophic end-of-life data breaches will happen – it’s just a matter of time – so no one handling sensitive data should become complacent or take a lax approach to the security of sensitive data. Bottom line: any used IT storage device that has not been directly in your organization’s chain of custody for its entire life or has reached its end-of-life should be thoroughly destroyed in-house and rendered unusable with equipment that meets or exceeds industry standards.

What’s Hot on Infosecurity Magazine?