Sensitive data left on used hard drives: Forensic Investigation for ICO
Global information assurance company, NCC Group, has assisted
the ICO in undertaking a forensics investigation into the sensitive
data left on used hard drives.
NCC Group sourced around 200 hard drives, 20 memory sticks and 10
mobile phones, and searched them using forensics tools freely
available on the internet. In total 34,000 files containing
personal or corporate information were removed from the
Paul Vlissidis, technical director at NCC Group, comments: "When
it comes to information security, human error and carelessness is
consistently the weakest link. Hopefully this research will be a
wakeup call for the individuals and organisations who think their
responsibility and liability ends with the delete button.
"This isn't a case of scaremongering, or using sophisticated
techniques only available to large organisations. We purposefully
used simple, easily sourced forensics processes and tools, to
demonstrate that any information we accessed could also easily be
stolen by people of criminal intent.
"Let's say a person replaces their personal smartphone annually
and their laptop every two or three years - and is also going
through a variety of company devices. On top of that, they may be
accessing confidential corporate data on a personal device as part
of a bring-your-own-technology policy. Even if their employer is
strict about disposal of company devices, they may not be able to
control how an individual disposes of an unwanted laptop.
"Ultimately, there's a huge amount of information being stored
that is potentially damaging in the wrong hands. To protect both
personal and corporate data, it's essential that people become
better educated about securely wiping devices, which is what this
research is intended to highlight."