[Infowarrior] - Ebay'd laptop had top secret data

Richard Forno rforno at infowarrior.org
Thu May 7 13:17:57 UTC 2009 

Computer hard drive sold on eBay 'had details of top secret U.S.  
missile defence system'

By Daily Mail Reporter
Last updated at 11:08 AM on 07th May 2009

http://www.dailymail.co.uk/news/article-1178239/Computer-hard-drive-sold-eBay-details-secret-U-S-missile-defence-system.html

Highly sensitive details of a US military missile air defence system  
were found on a second-hand hard drive bought on eBay.

The test launch procedures were found on a hard disk for the THAAD  
(Terminal High Altitude Area Defence) ground to air missile defence  
system, used to shoot down Scud missiles in Iraq.

The disk also contained security policies, blueprints of facilities  
and personal information on employees including social security  
numbers, belonging to technology company Lockheed Martin - who  
designed and built the system.
missile

A missile launch in California: Details of the ground-to-air defence  
system were found on a computer hard drive

British researchers found the data while studying more than 300 hard  
disks bought at computer auctions, computer fairs and eBay.

The experts also uncovered other sensitive information including bank  
account details, medical records, confidential business plans,  
financial company data, personal id numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and  
Australia by BT's Security Research Centre in collaboration with the  
University of Glamorgan in Wales, Edith Cowan University in Australia  
and Longwood University in the US.

A spokesman for BT said they found 34 per cent of the hard disks  
scrutinised contained 'information of either personal data that could  
be identified to an individual or commercial data identifying a  
company or organisation.'

And researchers said a 'surprisingly large range and quantity of  
information that could have a potentially commercially damaging impact  
or pose a threat to the identity and privacy of the individuals  
involved was recovered as a result of the survey.'

Two disks appear to have been formerly used by Lanarkshire NHS Trust  
to hold information from the Monklands and Hairmyres hospitals  
including patient medical records, images of x-rays, medical staff  
shifts and sensitive and confidential staff letters.

In Australia, one disk came from a nursing home and contained pictures  
of patients and their wounds.

Confidential material including network data and security logs from  
the German Embassy in Paris were also discovered on a disk from France.

And the trading performances and budgets of a UK-based fashion  
company, corporate data from a major motor manufacturing company were  
discovered along with details of a proposed 50 billion currency  
exchange through Spain involving a US-based consultant.

Dr Andy Jones, head of information security research at BT, who led  
the survey, said: 'This is the fourth time we have carried out this  
research and it is clear that a majority of organisations and private  
individuals still have no idea about the potential volume and type of  
information that is stored on computer hard disks.

'For a very large proportion of the disks we looked at we found enough  
information to expose both individuals and companies to a range of  
potential crimes such as fraud, blackmail and identity theft.

'Businesses also need to be aware that they could also be acting  
illegally by not disposing of this kind of data properly.'

Dr Iain Sutherland of the University of Glamorgan said: 'Of  
significant concern is the number of large organisations that are  
still not disposing of confidential information in a secure manner. In  
the current financial climate they risk losing highly valuable  
propriety data.'

A spokesman for Lockheed Martin, who make the THADD launch system,  
said: 'Lockheed Martin is not aware of any compromise of data related  
to the Terminal High Altitude Area Defence programme.

'Until Lockheed Martin can evaluate the hard drive in question, it is  
not possible to comment further on its potential contents or source.'

A spokesman for NHS Lanarkshire said: 'This study refers to hard disks  
which were disposed of in 2006. At that time NHS Lanarkshire had a  
contractual agreement with an external company for the disposal of  
computer equipment.

'In this instance the hard drives had been subjected to a basic level  
of data removal by the company and had then been disposed of  
inappropriately. This was clearly in breach of contract and was wholly  
unacceptable.'

The spokesman said the trust now destroy equipment containing data on  
the premises, so no longer use external companies to dispose of IT  
equipment.

More information about the Infowarrior mailing list