[ISN] Confidential data left on old PCs
InfoSec News
isn at c4i.org
Fri Feb 18 04:31:57 EST 2005
http://www.vnunet.com/news/1161309
[Time for our yearly report on how used hard drives bought from
eBay elicit sensitive security information. Guess what, nothing
has changed! http://seclists.org/lists/isn/2003/Jan/0072.html - WK]
Peter Warren
Computing
17 Feb 2005
Highly-sensitive information such as passwords and user names of
company executives has been found on used computer disk drives bought
on eBay.
Researchers at the University of Glamorgan analysed some 100
randomly-sourced PC hard disks, and discovered that more than half
contained data from organisations such as multinational companies,
universities and a primary school.
Data on the disks included:
* staff records, passwords, internal emails and financial details
* school reports, a list of pupils, and letters to parents
* a document template for university degree certificates.
Attempts had been made to destroy data on nearly half the disks in the
study, but significant material remained intact.
'On at least seven of the disks that I have seen there was enough
information to allow a hacker to get into an organisation,' said Dr
Andy Jones, security research group leader for BT Exact, who examined
the disks.
The government issues guidelines to businesses and public bodies on
the proper disposal of computer equipment, much of it freely available
online.
But the University of Glamorgan research, seen exclusively by
Computing, suggests that even the most diligent organisations can
still be affected.
Information from Swedish insurance company Skandia was uncovered, even
though the firm invests in data destruction. 'This is not embarrassing
for us, it's absolutely horrifying,' said a Skandia spokeswoman.
'We pay to have our data wiped thoroughly, so we are going to have to
investigate to discover how it happened and make sure it does not
happen in the future.'
Southampton University says it has launched an investigation, after
passwords and staff emails were discovered by the research. The
university uses a specialist company to wipe disks before disposal of
equipment.
'We need to find out what happened and ensure it doesn't happen
again,' said a spokeswoman.
Agrochemicals company Monsanto says it will investigate how details of
crop research from its Cambridge offices was found.
'We assume this is an isolated incident which has arisen during the
restructuring of our Cambridge offices, when a number of IT items were
disposed of at the end of their working lives,' said a spokesman. 'It
seems a serious lapse in our procedures for the disposal of surplus IT
kit has occurred.'
Computing has requested that all disks and data recovered by the
University of Glamorgan research are returned to their original owners
or destroyed.
More information about the ISN
mailing list