Sensitive data left on used hard drives: Forensic Investigation for ICO

Global information assurance company, NCC Group, has assisted the ICO in undertaking a forensics investigation into the sensitive data left on used hard drives.
 
NCC Group sourced around 200 hard drives, 20 memory sticks and 10 mobile phones, and searched them using forensics tools freely available on the internet. In total 34,000 files containing personal or corporate information were removed from the devices.
 
Paul Vlissidis, technical director at NCC Group, comments: "When it comes to information security, human error and carelessness is consistently the weakest link. Hopefully this research will be a wakeup call for the individuals and organisations who think their responsibility and liability ends with the delete button.
 
"This isn't a case of scaremongering, or using sophisticated techniques only available to large organisations. We purposefully used simple, easily sourced forensics processes and tools, to demonstrate that any information we accessed could also easily be stolen by people of criminal intent. 

"Let's say a person replaces their personal smartphone annually and their laptop every two or three years - and is also going through a variety of company devices. On top of that, they may be accessing confidential corporate data on a personal device as part of a bring-your-own-technology policy. Even if their employer is strict about disposal of company devices, they may not be able to control how an individual disposes of an unwanted laptop.
 
"Ultimately, there's a huge amount of information being stored that is potentially damaging in the wrong hands. To protect both personal and corporate data, it's essential that people become better educated about securely wiping devices, which is what this research is intended to highlight."