Another article, this time from the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites contain enough information to make identity thieves very happy.
A twist on this particular story, however, is that these drives are being traced back to employees who work at home on their personal computers (personal as in the state of ownership, not the size of the computer). Information protection services like AlertBoot data encryption software would help prevent such breaches…but can a company dictate that employees use encryption on their home PCs?
Second-Hand Drives’ Contents
A study by Ernst & Young has revealed that used drives bought for as little as five Euros can contain extremely sensitive information such as bank account details, confidential e-mails, etc.
In most cases, the sellers hadn’t even erased the information, and were readily accessible. Some had gone through the process of deleting files or reformatting the drive; however, as the E &Y guys correctly pointed out, it’s still easy to retrieve data.
Reformatting the drive, for example, doesn’t really erase data. What it does is the following:
Erases data on the address tables (i.e., bookkeeping information to keep track of where your data files can actually be found. Information for the same file can be separated into chunks and saved in different parts of your drive, and is reassembled when called for)
Runs disk checks to figure out sector reliability, and mark the bad ones as unusable
Creates a new address table since the old one was erased
In other words, most of your data is still there…it’s just that the computer can’t find it on its own (on account of having deleted the address tables). However, there is plenty of cheap software out there that can recover this information for you.
Likewise, deleting data just marks a particular area in the hard drive as “available for data to be written.”
Deleting Data? No! Overwriting Data
Technically, there is no way to “delete” data. As pointed out, what gets deleted is essentially the way for the computer to retrieve that particular piece of information. The only way to “delete” data is to replace it.
And, the only way to replace data is to write over it with new data. In fact, what your IT department does prior to tossing a hard disk is pretty simple: use data writing software on them to write random information throughout the disk.
Run it three times or so for modern disks, and it’s pretty much guaranteed that the old data–the sensitive e-mails, bank account numbers, etc.–will not be recoverable.
Using Encryption Software
The use of encryption software can also achieve the same degree of security, since information is stored in a random format (it only turns back into usable information when a password is provided). Assuming the password to access the encrypted disk is not attached to the drive, the contents of the drive are secure when one decides to sell it on eBay.
The problem is–and I’m not lawyer but I think this sounds about right–a company can’t dictate what one does with his personal property. I guess the correct solution would be not to allow corporate files to be downloaded to home computers, or to only allow encrypted files to be downloaded, or even to give corporate laptops employees working from home.
Since that particular computer is company property, installing encryption and protecting the contents would be feasible.
Related Articles and Sites: