In 2003, Simson L Garfinkel and Abhi Shelat published a document entitled “Remembrance of Data Passed: A Study of Disk Sanitization Practices.” The study looked at hard drive sanitization practices, or lack thereof, and what the consequences could be. Disk Sanitization just means that private data on the drive has been removed. Can you imagine the private contents of your data showing up for someone else? Most people assume that this is not a common phenomenon, but they’re wrong. Here are a few examples that Garfinkel and Shelat relay:

• In the spring of 2002, the Pennsylvania Department of Labor and Industry sold a collection of computers to local resellers. The computers contained “thousands of files of information about state employees” that the department had failed to remove.
• In August 2001, Dovebid auctioned off more than 100 computers from the San Francisco office of the Viant consulting firm. The hard drives contained confidential client information that Viant had failed to remove.
• A Purdue University student purchased a used Macintosh computer at the school’s surplus equipment exchange facility, only to discover that the computer’s hard drive contained a FileMaker database containing the names and demographic information for more than 100 applicants to the school’s Entomology Department.
• In August 1998, one of the authors purchased 10 used computer systems from a local computer store. The computers, most of which were three to five years old,contained all of their former owners’ data. One computer had been a law firm’s file server and contained privileged client–attorney information. Another computer had a database used by a community organization that provided mental health services. Other disks contained numerous personal files.
• In April 1997, a woman in Pahrump, Nevada, purchased a used IBM computer for $159 and discovered that it contained the prescription records of 2,000 patients who filled their prescriptions at Smitty’s Supermarket pharmacy in Tempe, Arizona. Included were the patient’s names, addresses and Social Security numbers and a list of all the medicines they’d purchased. The records included people with AIDS, alcoholism, and depression.

Now, these types of slips are rare, or rarely caught, or rarely reported. What you might not know is that a hard drive that is sold forfeits confidentiality rights. So, if your company sells a hard drive and it contains trade secrets, then your trade secrets aren’t so secret anymore. How would you like to hear that on a Monday morning?

But what about run of the mill folks like you and me? Well, they set out to find that answer. They purchased 158 reconditioned/repurposed drives on the secondary market. They concluded their study with these words: “With several months of work and relatively little financial expenditure, we were able to retrieve thousands of credit card numbers and extraordinarily personal information on many individuals. We believe that the lack of media reports about this problem is simply because, at this point, few people are looking to repurposed hard drives for confidential material. If sanitization practices are not significantly improved, it’s only a matter of time before the confidential information on repurposed hard drives is exploited by individuals and organizations that would do us harm.”

I hope that incites fear into you.

Related Posts:

• No Related Posts