BT investigation into eBay hard drives reveals US air defence launch secrets

The British telecom giant BT says that the disk bought on eBay revealed details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system, used to shoot down Scud missiles in Iraq.

Credant, the end point encryption specialist, says the fact that such closely-guarded military secrets were available on a hard drive sold on a major auction site is extremely worrying.

Michael Callahan, Credant's senior vice president, described the sale of the data on the second-hand drive as a serious lapse of security procedures for the agency concerned.

The worrying aspect about the incident, he said, is that it may not be a one-off event as, back in April 2006, there was the well-publicised incident of a flash drive with US spy data being sold in an Afghan bazaar for just US$40.

"The ensuing investigation into that incident revealed the fact that the data had been downloaded from an unencrypted hard drive."

Back to the latest security faux pas and Callahan noted that the lack of encryption - rather than a lack of enforced policies on disposal of old drives - was the root cause of the incident.

If the data on the PC used in Afghanistan in 2006 had been encrypted - as had the data on the hard drive reportedly sold on eBay - then, he claimed, the ensuing press embarrassment for the US military would not have happened.

The investigation that revealed the US military hard drive and its data was carried out by BT's Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the USA.

BT said it found 34% of the hard disks bought and examined contained "information of either personal data that could be identified to an individual or commercial data identifying a company or organisation."

The researchers concluded that a "surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved was recovered as a result of the survey."

Over at Credant Technologies, Michael Callahan said that the bottom line to the eBay hard drive incident - and as the Afghan US$40 bazaar sale clearly proves - is that government IT security procedures, policies and enforcement systems need to be multi-layered and multi-faceted, with encryption forming the mainstay of such protection.

What’s hot on Infosecurity Magazine?