£6.99. That’s how much a 36 year old anonymous computer programmer paid for a computer on eBay that held the details of 35,000 taxpayers in the
The hard drive in question contained names; addresses; bank account details, such as account numbers and sort codes; and tax bills of residents of the Charnwood Borough Council area in Leicestershire. Also, photographs, memos, and other types of electronic documents were stored on the same computer.
A spokesman for the Charnwood Borough Council has stated, according to the BBC, that they have a policy of securely disposing of all computer hardware, and that it’s not “ever resold, donated, or given away to any party, staff or otherwise.” Furthermore, it was stated that a “reputable third-party organisation [provides] certification for each batch of disposed equipment, stating that drives have been wiped, or are destroyed.”
I’ll take bets that this is another case of a third party contractor messing up (I’d hedge that bet with another bet, though, that it could have been a case of staff stealing office equipment. God knows it happens often enough). If my initial suspicion is correct, this is very worrisome. I mean, a company that makes it its business to ensure data is destroyed is not doing a good job if the computer ends up on eBay.
Now, some will point out, well, the company did its job—the computer programmer didn’t have access to the data directly; he used data recovery software to undelete the deleted data (which is available for, like, $50 or less). This is where one has to start blaming semantics for spreading around ignorance.
When it comes to computers and electronic data storage, the word “delete” doesn’t mean to erase in the traditional sense. When people ponder the meaning of delete, they tend to think of the relationship between pencil and eraser: you rub the eraser, and the pencil marks are wiped away. With computers, it’s a little different. When you delete a computer file, information still exists in the computer—it’s just that you’ve destroyed the way for your computer to easily find that file, meaning the computer can’t retrieve the data anymore (but can still be unearthed via recovery software), and have authorized the computer to write new data over that file you “deleted.” As long as you don’t add any more documents to that computer, any guy with $50 (or less) would be able to recover such data.
That’s why when companies claim they’ve wiped data, it actually means they’ve added data: they add random data to write over sensitive files. And they do this at least three times. It’s not unlike taking your diary written in with a blue pen, and in order to ensure that no one can ever read it, dunking it into a vat of blue ink.
Granted, this process works after the life term of a computer. The US Department of Defense uses it for wiping disks that carried sensitive (but not classified) information. (Disks containing top secret information supposedly get pulverized into dust.) But what do you do while the computer is still on active duty and something like the eBay scenario like the above unfolds, i.e., a computer shows up for sale on an auction site when it shouldn’t have?
Having honest, competent staff works wonders as well as having the correct security?minded computer and data policies. But, that still can’t take care of those vicissitudes in life where things don’t go according to plan, where the computer can’t be protected because it’s not under the physical aegis of your company.
In such instances, it only makes sense that the protection follow around the computer. There are many computer security solutions out there. Some are conditional, as in they have to be connected to the internet to work. Personally, I think such solutions are designed to recover hardware, not to protect data. If one is really looking to prevent an information security breach, there’s no two ways about it: disk encryption or file encryption must be used.