Organisations charged with safeguarding sensitive data are not doing enough to ensure that information is cleansed from hard disks before disposal, according to BT.
A study of second-hand disks by BT and universities in the UK, the US and Australia found "a surprisingly large range and quantity of information that could be potentially commercially damaging or a threat to the identity and privacy of the individuals involved".
Researchers from one of the universities involved in the study, the University of Glamorgan, found that, in the UK, 41 percent of the hard disks studied retained commercially sensitive information.
"Some businesses are clearly not doing enough to cleanse hard disks," said BT's global head of security research and development, Bryan Littlefair. "Some organisations are not putting correct data-disposal measures in place. It's not just a matter of deleting information or reformatting the hard disk."
The researchers used "easily available" open-source forensics tools, such as Autopsy and Helix, which they described as not requiring "significant levels of skill or knowledge to effect the recovery of remnant data from storage media".
Sensitive NHS patient data was recovered from one of the disks. "Data from a disk that appears to originate from the National Health Service in the UK relates to hospital/medical data that can be attributed to a specific group of hospitals. The information retrieved included patient medical data, including histology reports and other information for a number of individuals, and a telephone contact list for the group of hospitals. There was also data present that indicated the interests of the users of the system in terms of their web-surfing habits," the study said.
Nine disks were recovered that had belonged to a furniture warehousing company based in the East Midlands. The information recovered included the company logo, letters to customers, the names of staff, internal telephone numbers, a number of (expired) credit-card numbers, a letter threatening court action and pornographic material.
Littlefair said that companies and organisations must take responsibility for the disposal of hard-disk drives and, if using an external disk-disposal company, must make sure that company is reputable. "The buck stops at the enterprise," he said. "Certainly, if disk disposal is farmed out and is not done correctly, it's the fault of the data-cleansing company, but organisations are ultimately responsible. Costs, accounts information, and profits are all of major interest to competitors. If global address lists and contract bidding information [is released], these can cause a big impact and could be share price-affecting in some instances."
There is also increasing national and international legislative pressure to address data-protection issues. In the UK, the Data Protection Act means that organisations should be responsible for data throughout its lifecycle, including its disposal.
The report called for organisations to introduce risk assessments to determine the sensitivity of the information on their disks, procedures to ensure that their systems and disks are disposed of in an appropriate manner and, where appropriate, physical destruction of their disks. BT also called for full hard-disk encryption.
The study called for a public awareness campaign by the government, commerce and academia.
A total of 133 disks from the UK were studied. Two of the disks contained data that was deemed serious enough to be passed on to the law-enforcement authorities for study. All of the disks had been forensically imaged, with the image held in secure storage, to establish a chain of custody should the need arise.
As well as the University of Glamorgan, the other universities involved in the study were Australia's Edith Cowan University and Longwood University in the US.