Organizations have been urged to revisit their policies on the deletion of corporate data after it was revealed that used drives sold online often contain both personal and sensitive enterprise data.
Security firm Blancco Technology Group bought 200 second-hand hard disk drives and solid state drives from eBay and Craigslist in Q1 and then analyzed them to see if any data had been left behind by their previous owners.
It found that a shocking 67% of the drives contained personally identifiable information while 11% held sensitive corporate data.
Of the latter, company emails were most prevalent, followed by spreadsheets containing sales projections and product inventories and CRM records.
BTG warned firms that failure to properly wipe drives before putting them up for resale could result in a data breach which ultimately hits the bottom line as well as customer loyalty and the reputation of the brand.
However, there are also potential industry fines and even possible legal action to consider in the event of such a breach.
UK privacy watchdog, the Information Commissioner’s Office (ICO) handed out what was its biggest ever fine (£325K) back in 2012 when several hard drives were discovered on eBay with highly sensitive data belonging to staff and patients at Brighton and Sussex University Hospitals NHS Trust.
Only 10% of the 200 HDDs and SSDs Blancco analyzed had been made safe via a secure data erasure method. Over a third of those studied had data improperly deleted by dragging files to the recycle bin or else simply hitting the delete button.
BTG IT security consultant, Paul Henry claimed that notorious dating site Ashley Madison was also guilty of failing to fully expunge user data from its systems when requested.
“The big lesson for Ashley Madison – and any other type of business – should be to test that your deletion methods are adequate and to not blindly trust that simply ‘deleting’ data will truly get rid of all of it for good,” he warned.
“Remaining data can still be accessed and recovered unless the data is securely and permanently erased.”