Full Disk Encryption Could Have Saved Oklahoma Corporation Commission A Bunch Of Headaches.

Joe Sill bought fifty computers from a government auction.  His intent, according to koco.com, was to refurbish and resell them.  Instead, he’s had to put a hold on those plans because he found over 5000 Social Security numbers in the computers’ hard drives.  If only those drives had full disk encryption on them; then, Sill would have just installed a new OS and be done with it.


The Oklahoma Corporation Commission, the source of the computers, is not to blame for the data breach, though (or, perhaps, they deserver partial blame).  It turns out that they don’t usually handle sensitive information, so they left the hard drives behind in the computers for the auction.  So where did the SSNs come from?  Apparently, the computers were used by the Oklahoma Tax Commission before being transferred to the Corporation Commission.  They may both be government entities but, just like the IRS shouldn’t have access to top secret information from the CIA, the Tax Commission should have ensured that those SSNs and any other sensitive information were wiped before handing the computers over to the Corporation Commission.


People have commented in various sites carrying the above news that this is not acceptable, and that it takes just a little time and the right software to ensure this doesn’t happen.  What they mean is that data overwrites can prevent sensitive information like SSNs from leaking.  An overwrite is much more secure than deletion because “deletion” doesn’t really delete data—it just marks that particular data space as available for new data and “hides” the icons from appearing on your desktop.  Since the icons are now hidden, the user can’t access the data anymore.  But this doesn’t mean that the data is actually gone.


Let me illustrate this point: if someone were to break in into a library; rip off the books’ titles off the spine for each book; and place them back in the shelves…the contents of those books are not gone, although you’d have a heck of a time trying to find “Tom Sawyer.”  Deleting data in a computer is similar in nature.  The data’s still there; you just can’t find it easily—unless you have the right software (which is also pretty cheap, considering).  The only way to get rid of data is to write over it with some other data—preferably random gibberish.  There’s software for that, too.


However, these commenters (commentors? commentators?) are wrong in one aspect.  It takes more than a little time.  Because each bit on the hard disk has to be written over—multiple times, if one wants enhanced security—the bigger the drive’s capacity, the longer it takes.  Plus, computers need electricity to run, so one is severely limited on how many computers’ disks can be overwritten in parallel (unless you work in one of those offices with unlimited numbers of electrical sockets.  I hear they don’t exist).


There are other ways of protecting data, though.  One option that the Corporation Commission has resorted to is not including the hard drives for decommissioned computers to be auctioned off.  There is, however, the problem of eventually disposing of the drives themselves—crushed, melted, data overwrites, or even encrypted.


Yep, full disk encryption solutions like AlertBoot would also be adequate for the disposal of hard drives.  When it comes do the disposal of drives, the one advantage of disk encryption over data overwrites is that you’d have to do it just once, as opposed to the three or more overwrites per disk that is recommended among certain circles.  Of course, if you have disk encryption at the very beginning, when you start using the computer, you get even more benefits, like bulletproof data protection if the computer is ever lost or stolen.

Comments (0)

Let us know what you think