|Home » News » Roundups
The Splash of Glamorgan
23 March 2005 10:41 UTC
What a shocker - what a surprise.
Andrew Blyth works with IT security at Glamorgan University in Wales.
Recently his team at the School of Computing purchased a whole carload of used PCs from primarily eBay to see what they could find. And they came up with quite a lot.
Andrew's team didn't use any advanced forensic hardware; in fact they didn't use any forensic hardware at all. They used EnCase, Mailbag Assistant, NetAnalysis, and Perl. Forensic software.
Meaning the data recovered did not represent data that had been shredded or even purged - it was simply left willy-nilly on the drives.
The one hundred eleven boxes they bought cost them less than £1,000. More than half still had confidential information on disk.
What Was Found
The data found included social security numbers, evidence of a married woman's affair, and detailed biographical information about minors.
Hard drives from staff members of Hull University, Southampton University and Harrow College included details of special interest sex sites visited by users and a document template for one of the university's degrees.
Information retrieved from a drive owned by a charity included emails from a married female employee in which she discussed intimate details of her marriage and an apparent affair.
Information retrieved from a Church of England primary school head teacher's computer in East Yorkshire included school reports, an extensive list of pupils, personal letters to parents, and psychological information on several children.
A hard drive from the Swedish insurance giant Skandia, which has invested heavily in data destruction, still contained private information. A spokeswoman for Skandia welcomed the investigation but described the findings as 'absolutely horrifying'.
Monsanto, the US firm involved in the production of genetically modified plants, confirmed that the company would begin an investigation after details of its crop research appeared on one hard drive.
National insurance numbers for employees of Scottish & Newcastle's pubs division, since sold to the Spirit Company for £2.5 billion, were found on another drive.
'This demonstrates how easy it is to access information which is not adequately protected', said Tony Neate, industry liaison manager for the UK National High-Tech Crime Unit.
The story splashed all over the place, initially at the Times of London.
After the splash in the Times, it quickly splashed elsewhere.
Devil's Advocate: Buying secrets on eBay
You can buy almost anything on eBay, including computers. And it seems when you buy a computer on eBay there is a better than evens chance of getting some confidential data thrown in. This information comes from the University of Glamorgan, which bought 100 computers from the online auctioneer just to see what was to be found.
Warning on waste PC data danger
Businesses disposing of computers have a legal obligation under the Data Protection Act to ensure private data held on them is removed.
What's the moral of the story? Easy: people are stupid. But worse than that: they simply don't care.
It's one thing to just dispose of a computer and not worry what people will find; it's quite another to engage in 'shady' activities and still not care (bordering on the moronic here); it's quite another to have full knowledge that the data on the computer is confidential and still be such an idiot...
And it's another to be fully aware, as corporations in the UK are, that there are laws which require corporations to adequately dispense with such information - and still not do anything about it.
Then there's the charity feeling hard hit by the bad news, wishing to assure everyone that their security practices are better and your sensitive personal and corporate data will not fall into the wrong hands.
Charity hits back at 'destroy your PC' claims
A charity which reconditions second hand Pentium computers for use in the Third World has hit out at media coverage this week which encouraged companies to destroy old kit by driving nails through the hard drive of each computer they discard.
Computer Aid International assures businesses it will wipe data to government approved levels [sic] and offers strict reassurances to businesses that their data will be entirely removed before the PC gets its new lease of life.
(Something like MI5 and the NSA outsourcing their disk cleansing to Outer Mongolia: it's not going to happen.)
Let this be a warning:
- In the UK this is illegal and carries a penalty.
- In all countries it's downright stupid and carries its own cordial bomb.
- Donate all you want but secure the drives first.
Radsoft Product Tours: E3 Security Kit