A man who bought a used computer claims to have found “thousands” of files with personal data on West Cheshire College students. The College is claiming otherwise. It’s a situation that would have not developed if disk encryption like AlertBoot had been used.
Mobile Security for Desktop Computers
As the BYOD trend begins to gather steam, mobile security tools like smartphone encryption are beginning to attract interest. But, the West Cheshire College story shows that such solutions are a rehash of an old problem. Namely, how do you ensure data security throughout a device’s life?
The computer the man bought was an old-fashioned tower (desktop) computer. According to ellesmereportpioneer.co.uk:
the second-hand computer tower and hard drive for £5 from a sale at the Countess of Chester Hospital on May 13.
The man, who does not want to be named, said he was stunned when he got home to find thousands of files containing personal information from the college [West Cheshire College] still on the computer’s hard drive.
He claims it included names, dates of birth, emails, course details, exam results, work timetables and even photographs of students.
The computer was also checked by the college’s IT department. According to their investigation, “the contents of the hard disk and test dates including names and dates of births of less than 60 students were found on the disk with no further relevant information.”
Who’s right? Well, the UK’s Information Commissioner’s Office (ICO) shouldn’t have a problem determining this because the man who “unbeknown to the college, he had already made a backup copy of the drive which he is now planning to hand to the Independent Complaints Office.”
This entire controversy probably comes as a surprise to West Cheshire College because efforts were (supposedly) made to ensure data security (my emphasis):
This particular computer was one of a handful of old computers donated to members of staff and though data is electronically wiped before disposal we have found that this particular computer had a physical issue preventing the full wiping of the disk.
We have now strengthened our internal processes of disposing of old computers to ensure that our systems are 100% robust.
I think we can surmise that the college really did engage in data wiping, as opposed to merely deleting files and “emptying the recycle bin.” The latter may remove file icons from your desktop but does not necessarily mean that the data was erased. True digital data wiping involves overwriting data over each sector on a hard drive.
What’s funny is that implementing encryption software generally takes about as long as properly wiping data. And while wiping data is a “device end-of-life” process that sometimes can fail, encryption is not only as effective as a data overwrite, it protects the contents of a device during its serviceable lifetime as well (for example, if the computer were to be stolen).
The use of a full disk encryption is a no-brainer in certain situations, especially if you are cognizant of the usual risks and take a long-term approach to security.
Related Articles and Sites: