Data Breach From End-of-Life IT Media: Not “If” But “When”

February 19, 2020 at 1:09 pm by Flora Knolton

A Reactionary Approach is Not Going to Cut it

While the age of Big Data has improved our lives in countless ways, there is seemingly an equal number of potential downsides. As we all know too well, the exponential rate at which data volume is growing has spawned nonstop cyber activity intent on using this data for illegal purposes. The danger couldn’t be more extreme—or more real: in today’s Internet-dominated world, someone seeking to steal sensitive, confidential, or proprietary data (e.g., personally identifiable information, or PII) no longer has to physically breach a facility.

It’s important to remember, however, that data theft isn’t limited to online, or cyber, activity. IT assets (i.e., electronic storage devices containing data) constitute physical hardware that is likewise vulnerable to theft. Consequently, it’s critical that companies safeguard IT assets throughout the entire lifecycle, including physical destruction to the point of irreversibility. End-of-life data destruction processes must be formalized and precisely followed; far too much is at stake should IT assets fall into the wrong hands.

A dedicated, internal security team is necessary to prevent breaches. A reactionary approach is unacceptable; the potentially catastrophic consequences of compromised or stolen data outright negate the luxury of taking a passive approach. The literal costs of stolen data can involve monetary fines in the millions of dollars—while the intangible costs associated with reputation damage, identity theft and disclosure of confidential/sensitive information can easily exceed all measurement.

Cases in point: Cyber-Related Data Breaches are Becoming More Destructive … and More Expensive

In mid-2019, the UK’s Information Commissioner’s Office (ICO) set a then-record by fining British Airways $230 million for violating the European Union’s General Data Protection Regulation (GDPR). The infamous Magecart group of cyber criminals hacked into the British Airways system and used just 22 lines of code to harvest personal and payment data for approximately 500,000 customers over a two-week period.

Only days later, the ICO slapped Marriott International with a $124 million fine after it experienced a breach that compromised over 339 million guest records worldwide during its acquisition of Starwood Hotels & Resorts Worldwide. Marriott reported the breach shortly after its discovery in November 2018—at which time the attackers had already been in the system for four years.

In 2015, U.S. health insurance giant Anthem, Inc., suffered a breach due to spear phishing emails that launched an attack on its system, thereby compromising nearly 79 million people. Data harvested by a still-unknown party included full names, birthdates, employment information, addresses, Social Security numbers and medical identification numbers. In 2017, a class-action lawsuit against Anthem cost the company $115 million, which was to pay for identity-theft protection for all affected individuals for two years. One year later, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) also fined Anthem a record $16 million for violations of the Health Insurance Portability and Accountability Act (HIPAA).

Perhaps the largest cyber-related theft thus far occurred in 2017, when an unpatched bit of framework in one of Equifax’s databases allowed data associated with approximately 147 million people to be stolen. After discovering the breach, Equifax waited more than a month to report it. The company’s negligence will cost it a penalty in the range of $575 million to $700 million, after a record settlement in July 2019 with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and all U.S. states and territories.

Waiting for the Inevitable: Physical IT Assets and the Failure to Destroy End-of-Life Data

Given the carelessness with which many organizations, governments, individuals and third-party companies discard IT assets, it’s amazing that catastrophic end-of-life data breaches have not yet occurred. We have previously discussed why a comprehensive in-house destruction plan for end-of-life data is essential, since you simply do not know what happens to data unless your organization has supervised firsthand the entire data life cycle.

Ensuring chain of command for all IT hardware involved in the infrastructure of an organization that stores personal, sensitive or classified data from beginning to end of its life cycle will go a long way to preventing a costly breach. Just ask the U.S. Department of Defense (DoD), which banned all USB thumb drives after a 2008 incident in which a thumb drive found in the parking lot of a Mid-East military installation was inserted into a DoD computer network and launched a worm into the system that took 14 months to eradicate.

There have been several studies conducted over the last several years that highlight how often personal and classified information is found on used hard drives and USB drives—such as this 2019 study from Ontrack and Blancco Technology Group that estimates sensitive data is left on about 42% of used hard drives sold on eBay. Earlier in 2019, researchers at the University of Hertfordshire purchased 100 used USB flash drives in the U.K. and 100 in the U.S. from eBay; sixty-eight percent in the U.S. and 67% in the U.K. contained recoverable data from their previous owners—and more than half of those drives contained sensitive business and personal data.

In 2017, the Channel NewsAsia documentary The Trash Trail tracked the purchase of nine hard drives from various shops at Sim Lim Square in Singapore. The buyers were assured by the shop owners that all drives had been wiped clean and reformatted. The reality was that five of those drives contained sensitive personal information—and one of them contained complete medical records and passport details. Two additional hard drives contained sensitive corporate information.

Also in 2009, University of British Columbia journalism students shooting a documentary about e-waste in Ghana purchased seven hard drives from a market in Tema. One of the hard drives contained sensitive information regarding multi-million-dollar U.S. defense contracts between the Pentagon, Department of Homeland Security and contractor Northrop Grumman. The contractor believes the hard drive was stolen from a third-party asset-disposal company.

Also in 2009, a study conducted by British Telecommunications’ Security Research Centre, the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the U.S. examined 300 secondhand hard drives. On those drives was a variety of sensitive information, including trading performance and budget documents of a fashion company, corporate data from a motor-manufacturing company and—incredibly—test launch procedures for the U.S. Terminals High Altitude Area Defense (THAAD) ground-to-air missile system.In all these examples, imagine what could have happened if that data had fallen into the hands of criminals rather than those of individuals conducting investigative studies. Catastrophic end-of-life data breaches will happen—it’s just a matter of time—so no one handling sensitive data should become complacent or take a lax approach to the security of sensitive data.

Bottom line: Any used IT storage device that has not been directly in your organization’s chain of custody for its entire life or has reached its end-of-life should be thoroughly destroyed in-house—to the point of irreversibility— with equipment that meets or exceeds industry standards. Companies like SEM provide a variety of equipment capable of completely and securely destroying data contained on any IT hardware, including the industry’s only equipment capable of destroying enterprise-class drives.