[Dataloss] fringe: 'Erased' personel data on agency tapes can be retrieved, company says

security curmudgeon jericho at attrition.org
Thu Jan 24 17:09:55 UTC 2008 


---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.govexec.com/dailyfed/0108/012308j2.htm

By Jill R. Aitoro
Govexec.com
January 23, 2008

Personal and sensitive government data -- including employees' personal 
data -- on magnetic tapes that federal agencies erase and later sell can 
be retrieved using simple technology, according to an investigation 
conducted by a storage tape manufacturer.

The findings contradict a report released by the Government Accountability 
Office last year that concluded such data was irretrievable.

  From March through August 2007, GAO investigated if data could be 
retrieved from used magnetic tapes that federal agencies sell to 
commercial tape companies in the United States. Magnetic tapes are widely 
used by federal agencies, particularly for backing up data stored on large 
systems in the event of a disaster or system failure. The sample of tapes 
that GAO obtained came from such agencies as the Federal Reserve Bank, the 
Air Force and the National Oceanic and Atmospheric Administration.

According to its September 2007 report (GAO-07-1233R) [1], GAO concluded 
it could not find "any comprehensible data on any of the tapes using 
standard commercially available equipment and data recovery techniques, 
specialized diagnostic equipment, custom programming or forensic 
analysis."

Selling used magnetic tapes is not illegal, GAO pointed out, and if 
agencies follow guidelines set by the National Institute of Standards and 
Technology for erasing all data, the risk of theft is low. "Based on the 
limited scope of work we performed, we conclude that the selling of used 
magnetic tapes by the government represents a low security risk, 
especially if government agencies comply with NIST guidelines in 
sanitizing their tapes," GAO concluded. "Even if some data were 
recoverable from some tape formats that had been overwritten to preserve 
their servo tracks, the data may not be complete or even decipherable."

[..]

More information about the Dataloss mailing list