West Australian government agencies are too laissez faire with the disposal of old computers, according to a report by the WA Auditor General.
The Auditor General's office bought 19 second-hand PCs which looked to be ex-government. Of those, 10 proved to be so. From four of the 10 hard drives, the team was able to retrieve information, some of it sensitive, including tax file numbers, salary information, superannuation information, home addresses, dates of birth, photos, personal e-mails, letters, resumes, performance reviews, and contact details.
Three of the four computer hard drives found to contain sensitive information had been formatted but this provided only a low level of security. The fourth seemed to have undergone no attempt to remove any data before it was disposed of.
The Auditor General's office then looked at the computer disposal policies of seven government agencies to see if they were adequate, including those identified in the test of second-hand hard drives.
The findings were not ideal: Three of the agencies had no disposal policy. One had a policy but staff didn't know about it. Two of the agencies said data needed to be deleted but did not specify how. The last agency's policy involved formatting hard drives before disposal.
"This method, even if consistently applied, does not remove data from computer hard drives and is inappropriate for deletion of sensitive information," the Auditor General's report said.
Two agencies were leasing their computers from a third party and expected them to remove the data. Three of the agencies relied on government contractors for disposal. None of the agencies were checking that data had been securely removed.
Lack of government guidance on appropriate methods of removing data from computers prior to disposal has contributed to some agencies using methods that do not provide adequate security, while others go beyond the security requirements, according to the report.
"It is important for the agencies to select methods that provide sufficiently secure removal of data at an appropriate cost," the report said.
In response to the findings, the State Records Office has updated guidelines for government agencies when disposing of hard drives and other electronic media.
The guidelines say that the method of media disposal should depend on the sensitivity of data. Highly sensitive information should be destroyed physically. The guidelines recommend shredding or breaking the media into small pieces; applying corrosive agents to the media or melting the media in a furnace.
With moderately sensitive data, the guidelines suggest the Degaussing method — applying a strong magnetic field to the media.
For non-sensitive data, the guidelines deem overwriting — overwriting data across the entire media to replace it with new meaningless data — as appropriate. The guidelines advise that the disposer write zeros over the whole of the media, then ones and then random data.
Physical destruction and magnetic wiping were effective, according to Vicki Brauner, managing director of recovery specialists CBL Data Recovery, but she said a degaussing unit for magnetic wiping is expensive, costing in the range of seven to 10 thousand dollars.
Overwriting is also effective she said, as long as the drive is written over from start to finish. "Anything that wipes a drive three to four times is pretty substantial wiping," she said.
A big issue is whether the drive is in working or not working condition, she said. It is possible for professionals to repair a drive and retrieve data, she said. However, if a drive is not working, it cannot be wiped. This may lead to data being thrown away that could be recovered later.
Whichever method of disposal is chosen, there needs to be checks on whether the data is irretrievable, she said, highlighting the problem of human error. It might be, for example, that a human operator has put the drive in the magnetic wiping unit and forgotten to turn it on.