Data Security and Third-Party IT Asset Disposition: A Paradox

Written by

Data security is a hot topic these days, and for good reason. In 2017 alone, 1579 data breaches occurred in the United States with an average cost of $7.35m per breach. According to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center (ITRC) and CyberScout, the 2017 breaches represent an unprecedented 44.7% increase over the record breaking number of breaches in 2016, and the number is only expected to grow. In fact, it is anticipated that the global cost of cybercrime will exceed $6tn by 2021, up from $3tn since 2015.

Data breaches affect the privacy and security of individuals, businesses and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. According to a Soha Systems Survey on Third Party Risk Management, 63% of all data breaches are linked to third parties such as vendors, contractors or suppliers, while only 2% of IT professionals consider third-party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life (which is typically either controlled by a third-party IT asset disposition company or ignored altogether) cannot be overstated.

It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard in the slums on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. The discarded computers and electronic devices found in Agbogbloshie come from developed nations around the globe including the United States. Originally pitched to the locals as a means to help with the digital divide, these electronic ‘donations’ contain less than 50% working computers with the rest being simply electronic trash. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.

As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22m US defense contract from US military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA) and Homeland Security. All of this came from just seven hard drives.

In a 2003 study, Tom Spring from PC World Magazine acquired ten used hard drives in the Boston, MA area from thrift stores and salvage yards. Nine of these ten drives contained sensitive data including social security numbers, credit card numbers and banking statements, as well as tax, medical and legal records. Using the information found on the drives, Spring contacted the original owners of the drives, some of whom had contracted electronics disposal or recycling companies to erase their hard drives.

In 2006, Idaho Power Company learned that 84 of the 230 hard drives they had contracted salvage vendor Grant Korth to sanitize and recycle had actually been sold to third parties on eBay. These drives contained sensitive information including proprietary company information, confidential correspondence and employee data including social security numbers. We could go on and on.

When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives – and the data they contain – are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third party, simply because of the unknown. In addition to sloppy or greedy third-party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber-criminals specifically so they can mine the data they contain for illicit activity. The only truly secure method of IT asset disposition is in-house drive destruction. The National Security Agency has long known this truth and requires rotational platter based hard drives to be both degaussed (erased) and physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.

Brought to you by

What’s hot on Infosecurity Magazine?