A study of secondhand disks by BT and universities in the U.K., the U.S. and Australia found "a surprisingly large range and quantity of information that could be potentially commercially damaging or a threat to the identity and privacy of the individuals involved."
Researchers from one of the universities involved in the study, the University of Glamorgan, found that in the U.K. 41 percent of the hard disks studied retained commercially sensitive information.
"Some businesses are clearly not doing enough to cleanse hard disks," said BT's global head of security research and development, Bryan Littlefair. "Some organizations are not putting correct data-disposal measures in place. It's not just a matter of deleting information or reformatting the hard disk."
The researchers used "easily available" open-source forensics tools, such as Autopsy Forensic Browser click me and Helix, which they said did not require "significant levels of skill or knowledge to effect the recovery of remnant data from storage media."
Sensitive patient data was recovered from a disk that had been in service at the U.K.'s National Health Service.
"Data from a disk that appears to originate from the National Health Service in the U.K. relates to hospital/medical data that can be attributed to a specific group of hospitals. The information retrieved included patient medical data, including histology reports and other information for a number of individuals, and a telephone contact list for the group of hospitals. There was also data present that indicated the interests of the users of the system in terms of their Web-surfing habits," the study said.
Nine disks were recovered that had belonged to a furniture warehousing company based in the U.K.'s East Midlands. The information recovered included the company logo, letters to customers, the names of staff, internal telephone numbers, a number of (expired) credit card numbers, a letter threatening court action and pornographic material.
Littlefair said companies and organizations must take responsibility for the disposal of hard-disk drives and, if using an external disk-disposal company, must make sure that company is reputable.
"The buck stops at the enterprise," he said. "Certainly, if disk disposal is farmed out and is not done correctly, it's the fault of the data-cleansing company, but organizations are ultimately responsible. Costs, accounts information and profits are all of major interest to competitors. If global address lists and contract bidding information (is released), these can cause a big impact and could be share price-affecting in some instances."
There is also increasing national and international legislative pressure to address data-protection issues. In May, the U.S. Senate presented two measures, the Data Privacy and Security Act and the Notification of Risk to Personal Data Act, aimed at reining in personal data use by the government and the private sector. A provision of the Data Protection Act in the U.K. makes organizations responsible for data throughout its lifecycle, including its disposal.
The report called for organizations to introduce risk assessments to determine the sensitivity of the information on their disks, procedures to ensure that their systems and disks are disposed of in an appropriate manner and, where appropriate, physical destruction of their disks. BT also called for full hard-disk encryption.
The study called for a public awareness campaign by the government, commerce and academia.
A total of 133 disks from the U.K. were studied. Two of the disks contained data that was deemed serious enough to be passed on to law enforcement authorities for study. All of the disks had been forensically imaged, with the image held in secure storage, to establish a chain of custody should the need arise.
In addition to the University of Glamorgan, the other universities involved in the study were Australia's Edith Cowan University and, in the U.S., Longwood University in Farmville, Va.
Tom Espiner of ZDNet UK reported from London.