According to The Telegraph at macon.com, the Sheriff’s Office is investigating how computers that contained sensitive data ended up on the auction block at govdeals.com. The use of managed full disk encryption like AlertBoot would have prevented this particular data breach quite easily: it would have been a matter of “deleting” the machine from the central console, ensuring that the encryption keys are lost forever.
Government Deal Gone Bad
From the information I can find, the reconstructed scenario is as follows: it is decided that city computers need replacing. The old computers are to be sold, and in order to do so these are turned over to the city’s Information Technology Department. The IT Department sanitizes the computers (i.e., deletes any data contained within). The city then puts the inventory for sale at govdeals.com. According to the site,
GovDeals provides services to various government agencies that allow them to sell surplus and confiscated items via the Internet. Each participating agency has its own auction rules and regulations and may be subject to government ordinances.
And what deals! A 1998 Ford Econoline E150 is going for $99 as I write this sentence. The scrap metal value alone is much more than that!
Anywhooo, there is some controversy as to who sold the computers: the police department or Macon’s finance department. The finance department notes that they don’t sell old computers. The police department notes that they’re not in charge of prepping the computers for sale.
And they’re right. One’s attention should really be directed to the city’s IT Department, which one assumes is in charge of vetting whether city computers – be they from the police department, finance department, or any other type of government department – to be sold, retired, disposed, etc. are free and clear of any sensitive data.
Deleting Computerized Content, Preventing a Data Breach
Deleting data on a computer is an arduous process. While the process is automated for the most part, it takes forever because every single byte found on a computer must be written over. That’s right. In the world of paper, you can get rid of data by deleting the information (e.g., using an eraser to get rid of pencil markings) or writing over it (e.g., using a marker and covering pencil markings).
In the digital realm, only the latter is available. That’s why when you go to the “recycle bin” on a Window’s machine and permanently delete something, it doesn’t do squat for digital privacy. You’ll notice that the process takes seconds, a couple of minutes if you’re deleting a large amount of data, whereas writing over the same amount of data takes much, much more time. In fact, with today’s hard disk capacities, it’s not unusual for the process to take five to six hours per disk.
If encryption software had been used to protect the data on these same disks, the process would have been much shorter and much easier: lose the encryption key. Without this vital key, it is impossible to retrieve the data. And losing it takes mere seconds, even if we’re talking about a disk drive with over 100 TB of data. Plus, the presence of encryption means that the computers would have been protected while they were being used, for example, if there had been a burglary at a city department.
Full disk encryption is no panacea. It doesn’t even come close to being one. But, it’s certainly worth its price.
Related Articles and Sites: