Personal computers today are so cheap they are almost disposable, but unless you get rid of them properly, they could end up costing more than expected. Selling them on eBay, donating them to charities or giving them to employees could compromise data on the hard drive.
Deleting data will not solve the problem. Deleting a file in Windows removes it only from an index of files. Because the index entry is removed, Windows ignores the file, but it is still on the hard drive. Freely available data recovery tools can recover the file.
Plenty of companies and individuals release sensitive data into the public domain in this way. In a study sponsored by financial services company Capital One, Professor Martin Gill from the University of Leicester was able to recover personal information from six second-hand computers. One PC, bought via an internet auction, included bank account details and website user names and passwords. Another contained a business spreadsheet with information about creditors, payroll, and customers.
“Many people have Word files containing all of their passwords,” warns Andy Clark, a director at information forensics and security consultancy Inforenz. Like Mr Gill, he also purchased equipment on the internet, local newspapers and charity shops as an experiment. “What was fascinating was the information people had on their friends,” he recalls. “Open Outlook and you’ll find someone else’s name, address, email address and date of birth.” Such data can provide identity thieves with much of the information needed to impersonate an individual.
Even formating a hard drive will not make data disappear, warns Simon Janes, international operations director at forensics company Ibas and formerly the head of Scotland Yard’s Computer Crime unit. “It does nothing. The raw data is still there,” he warns, adding that the only way truly to get rid of data is to overwrite it with a meaningless stream of ones and zeros.
Even one overwrite is enough to make data recovery difficult for villains, says Janes, but several companies (including Ibas) sell tools that will overwrite data numerous times. The more it is overwritten, the less likely it is that a determined data recovery expert will be able to pick up residual magnetism on the disk. Larger companies can invest a couple of thousand pounds in high-speed drive erasing hardware, says Inforenz’s Mr Clark, which could be a good investment.
So, what options are open to companies? Selling PCs through a second-hand channel such as eBay is not totally out of the question if the drive is wiped properly. The other option is to recycle. Dell offers free recycling to consumers and businesses, collecting boxes from their homes and transporting them to a recycling centre where the machines are shredded.
Manufacturers are likely to promote recycling more aggressively as the government implements the Waste Electrical and Electronic Equipment (WEEE) directive in law this year. This requires producers to offer free collection of electronic waste to private households. It advises the use of community collection points for this purpose, but Dell’s EMEA recycling manager Jean Cox-Kearns argues that equipment left in a WEEE collection point could be vulnerable.
Charitable donations are another option. Dell operates consumer and corporate donation programmes, as does the charity Computer Aid. Computer Aid chief Tony Roberts explains that the company’s London-based facility processes 3,000 PCs a month. PCs are wiped using Blancco, a data overwriting program certified by the US and UK governments.
If a PC meets certain specifications (the charity won’t take anything below a Pentium 3 and PCs must have at least 6Gb of storage), Computer Aid sends machines to worthy causes, such as African schools and the Kenyan Met Office to help analyse weather data.
Dell says if a PC is less than four years old it may have some resale value, and it offers an asset recovery programme. “If a customer has equipment that is suitable for second-hand use, we’ll take it back and refurbish it,” Ms Cox-Kearns says, adding that the company will charge for collection and processing. “We will then resell that equipment and the value we recover will be passed back to the customer.” Customers can either choose a guaranteed up-front payment from Dell regardless of what the second-hand equipment eventually sells for, or they can gamble by taking a percentage of the price that Dell gets for the equipment.
Dell does not wipe the hard drives in recycled PCs because its partners destroy them anyway, Ms Cox-Kearns explains. But for refurbished equipment, its partners overwrite the drives a minimum of three times.
PCs are not the equipment that companies and individuals should worry about, says Dave Martin, who runs the recycling element within the security practice at IT services company LogicaCMG.
A company that has diligently cleaned its PC hard drives before donating or selling them might forget that hard drives now exist in photocopiers and printers, he points out. These will store documents.
“Anything that processes material that you consider sensitive is potentially at risk,” agrees Inforenz’s Mr Clark. His company routinely examines hard drives, mobile phones, PDAs, USB keys, wifi routers, printers, and telephone answering machines to recover information. “We haven’t had a toaster yet, but it’s only a matter of time,” he quips.
With mobile phone memory often holding sensitive data and USB keys frequently used to transfer or back-up files, the dangers are increasing. These devices, like hard drives, generally do not delete data, but simply alter the index information, meaning files are still readable.
For this reason, says Al Brill, senior managing director at forensics company Kroll Ontrack, companies should have broad disposal policies covering their electronic assets. “You must have a policy to identify and track storage devices. Some rules will tell you to trash the equipment, or recycle it or give it to charity.”
Until companies and individuals are better educated about erasing their data before disposal, we are likely to see more studies in which sensitive data turns up in used equipment on eBay. For security consultants seeking some publicity, it is like shooting electronic fish in a barrel.