Is In-House Data Destruction Really Necessary? The Answer Is a Big Yes!

As we get deeper and deeper into the digital age, the ever-growing demand for the creation, storage, dissemination and destruction of big data continues to drive the development of increasingly complex technology. Today, the average consumer can create and store more data in more ways and at a faster rate than ever before; likewise, the capability of organizations to create, harvest and analyze head-spinning amounts of data – at speeds faster than the human eye can blink – is simply unprecedented.

While innovation has exponentially enhanced our ability to communicate, it also brings new challenges and risks that must be given serious consideration. With commerce, healthcare, education, finance, government and municipal industries fully embracing digital technology to migrate and manage data flow across their entire scope of operations, the stakes arising from compromised, breached and/or exposed data couldn’t be higher.

The Challenges of Protecting Data

Since such data is of inestimable value, protecting it from unauthorized access through end-of-life is essential. Accordingly, legislation and regulations regarding data collection, storage and destruction for any organizations handling personally identifiable information (PII), classified information, controlled unclassified information (CUI), sensitive but unclassified information (SBU) or information for official use only (FOUO) continuously get more stringent.

Unfortunately, egregious data breaches are becoming almost commonplace, with regular news coverage highlighting the dangers down to the consumer level. After a slight decrease in data breaches from 2017 to 2018, there has been a massive increase from 2018 to 2019. According to the 2019 MidYear QuickView Data Breach Report, as of July 2019, 3,813 breaches have exposed over 4.1 billion records. The average cost of each breach is $3.86m, which equates to an average cost of $148 per lost or stolen record.

Another alarming trend is the growing frequency of attacks on third-party vendors. Criminals have been targeting organizations that provide data management, control and destruction services for multiple entities, thereby increasing the amount of data that can be harvested from one source. A recent survey found that 59% of companies experienced a third-party data breach in 2018.

So how does an organization protect itself?

The Challenge of Protecting an Organization

Data encryption, management, transference and destruction are increasingly robust tasks, which often prompt companies to rely on third-party solutions to help mitigate in-house workload. Doing so, however, represents the single largest cause of data security violations.

Using a third-party for your data destruction can put an organization at high risk
Using a third-party for your data destruction can put an organization at high risk

Using a third-party for your data destruction puts your organization at high risk during multiple touchpoints within the destruction process. The first point of risk is immediate – transferring the data from your facility to the third-party destruction facility. To ensure maximum safety, classified data and sensitive data such as PII, CUI, SBU and FOUO should be destroyed immediately and on-site at end-of-life.

Several concrete examples serve to illustrate the severe risks inherent in using third-party, off-site sources for IT asset disposition (ITAD). Particularly concerning are real-life episodes in which third-party providers do not destroy the data as promised (which has been documented as occurring at all levels of commerce). In one such instance, a man went to a Best Buy in Cincinnati, OH, in 2005 to replace a hard drive and was assured that his old one would be destroyed. However, six months later, he received a phone call from a stranger in Chicago who had purchased his hard drive for $25 at a local flea market. The stranger contacted the man because all his personal information was still stored on the hard drive.

In 2009, British telecom firm BT and the University of Glamorgan randomly purchased 300 hard disks from various fairs and auctions and discovered that 34% of them still housed personal data. In fact, in addition to banking and medical details, the research team even found Terminal High Altitude Area Defense (THAAD) data pertaining to missile defense systems.

In 2017, technology firm Kroll Ontrack purchased 64 used hard drives on eBay. The company discovered that more than 50% of the hard drives contained sensitive data, sometimes belonging to commercial organizations. It was determined that one of the drives originated at a company that reportedly used a service provider to erase and sell its old drives; the drive still contained sensitive information, including home addresses, phone numbers, user names, credit card details and a database containing a host of employee-related information.

This year, Finnish company Blancco published the results of a study in which it purchased 159 used hard drives on eBay from American and European sellers who stated the data had been wiped clean before resale. Nonetheless, 42% of the hard drives housed data from the previous owner, and 15% contained PII, such as passports, birth certificates, financial records, internal FOUO emails and files from a freight company that included vehicle registrations and records from a school containing student photos, names and grades.

The Solution

Clearly, the solution is to thoroughly destroy personal and sensitive data – well past the point of possible reconstruction – when it reaches end-of-life. Although many companies claim to provide this service, the only way to guarantee the data is wholly obliterated is to destroy it in-house with adequately rated equipment. The National Security Agency (NSA) and the Central Security Service (CSS) maintain an updated list of evaluated and approved devices for data destruction – from paper and optical media to hard disks and solid-state drives.

At SEM, we take data destruction seriously. We have destruction devices that meet and frequently exceed all current requirements for even the highest levels of security. An investment in in-house destruction equipment is more cost-effective than employing a third-party service long-term – but, most importantly, such an investment eliminates potentially catastrophic risks associated with data breaches.

Brought to You by

What’s Hot on Infosecurity Magazine?