Businesses failing to safeguard sensitive data

Organisations charged with safeguarding sensitive data are not doing enough to ensure that information is cleansed from hard disks before disposal, according to BT.

A study of second-hand disks by BT and universities in Australia, the UK and the US found "a surprisingly large range and quantity of information that could be potentially commercially damaging or a threat to the identity and privacy of the individuals involved".

Researchers from one of the universities involved in the study, the University of Glamorgan, found that, in the UK, 41 per cent of the hard disks studied retained commercially sensitive information.

BT's global head of security research and development, Bryan Littlefair, said: "Some businesses are clearly not doing enough to cleanse hard disks. Some organisations are not putting correct data-disposal measures in place. It's not just a matter of deleting information or reformatting the hard disk."

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

The researchers used "easily available" open source forensics tools, such as Autopsy and Helix, which they described as not requiring "significant levels of skill or knowledge to effect the recovery of remnant data from storage media".

Sensitive NHS patient data was recovered from one of the disks. The study said: "Data from a disk that appears to originate from the National Health Service in the UK relates to hospital/medical data that can be attributed to a specific group of hospitals. The information retrieved included patient medical data, including histology reports and other information for a number of individuals, and a telephone contact list for the group of hospitals. There was also data present that indicated the interests of the users of the system in terms of their web-surfing habits."

Nine disks were recovered that had belonged to a furniture warehousing company based in the East Midlands. The information recovered included the company logo, letters to customers, the names of staff, internal telephone numbers, a number of (expired) credit-card numbers, a letter threatening court action and pornographic material.

Littlefair said companies and organisations must take responsibility for the disposal of hard-disk drives and, if using an external disk-disposal company, must make sure that company is reputable.

He said: "The buck stops at the enterprise. Certainly, if disk disposal is farmed out and is not done correctly, it's the fault of the data-cleansing company but organisations are ultimately responsible. Costs, accounts information, and profits are all of major interest to competitors. If global address lists and contract bidding information [is released], these can cause a big impact and could be share price-affecting in some instances."

There is also increasing national and international legislative pressure to address data-protection issues. In the UK, the Data Protection Act means that organisations should be responsible for data throughout its lifecycle, including its disposal.

The report called for organisations to introduce risk assessments to determine the sensitivity of the information on their disks, procedures to ensure their systems and disks are disposed of in an appropriate manner and, where appropriate, physical destruction of their disks. BT also called for full hard-disk encryption.

The study called for a public awareness campaign by commerce, academia and the government.

A total of 133 disks from the UK were studied. Two of the disks contained data that was deemed serious enough to be passed on to the law-enforcement authorities for study. All of the disks had been forensically imaged, with the image held in secure storage, to establish a chain of custody should the need arise.

As well as the University of Glamorgan, the other universities involved in the study were Australia's Edith Cowan University and Longwood University in the US.

Tom Espiner writes for ZDNet UK