Ghosts from the machines: ten years of carelessly discarded data – CSRI6th Sep 2011
British businesses and households are throwing away a staggering 15.1 million Gigabytes of data a year on old computers, according to a new study.
Much of this data is stored in old hard drives that are left on rubbish tips or are sold on without being wiped clean – meaning that they can fall into the hands of business competitors or, worse, criminals.
The study, ‘The ghosts from the machines: a history of ten years of carelessly discarded data‘, carried out by the Cyber Security Research Institute on behalf of the Asset Disposal and Information Security Association, brings together research by the CSRI with that from its academic partner organisations the University of Glamorgan, Australia’s Edith Cowan University and Longwood University in the US and found that high-profile companies and private individuals were guilty of letting go of data that had not been properly disposed of.
One such big company is Rupert Murdoch’s News International. In a revelation likely to bring fresh embarrassment to the corporation, which was embroiled in the phone hacking scandal in 2011, the report says that an un-wiped hard drive belonging to it was later sold on to a third party. The hard drive names contained the home addresses and mobile phone numbers of the entire staff of The Sun, plus other high-profile individuals. The individuals included the then Sun editor Rebekah Wade, later chief executive of News International, Andy Coulson, who worked as David Cameron’s communications supremo before resigning over the hacking affair, and Top Gear presenter and News International columnist Jeremy Clarkson.
‘Fortunately for News International – and by sheer chance – the data from the hard drive came to the Cyber Security Research Institute,’ says CSRI Chairman and report author Peter Warren. ‘But it highlights once again the huge volume and value of data that is literally being thrown away by UK businesses and individuals each year.’ He adds: ‘In the case of News International this information on staff could have been used by competitors or criminals to glean vital and commercially confidential information,’ says Warren. ‘It could even have been used to hack their staff members’ phones.’
More widely the report looks at the massive scale of data that is being casually thrown away by consumers and businesses every year in Britain.
The research found 30 percent of drives currently making their way onto the second-hand market had data on them and that over the last ten years four out of every time drives contained data. And according to the CSRI’s figures, over the last five years some 95.6m Gigabytes of data have been discarded on UK hard drives alone.
Professor Neil Barrett, the visiting Chair of Forensics at the Royal Military College in Shrivenham, who carried out the first hard drive study in 2000 says: ‘I don’t think it is an exaggeration to say that there is an entire ghost data nation haunting the rubbish tips and second shops of the UK.’
The study emphasises that the problem is not confined to hard drives on computers but to mobile storage devices and, increasingly, mobile phones too.
‘This story is not going to go away, that’s why we’re highlighting it,’ said Steve Mellings, director of Adisa. ‘Whilst the problem has shown some signs of improvement over the last few years we are entering a new technology phase with solid state media being particularly difficult to handle. With mobile phones, USB sticks, tablets and many new laptops utilising SSD it is critical that people address this issue by implementing effective asset disposal policies.’
It estimates that around 90 million Gigabytes of unprotected data is annually discarded from mobile phones. Though the bulk of this will be music and pictures around 4.5 million Gigabytes will be contact details and personal data such as emails.
Data that the researchers have found has an enormous value – according to the report information that could have accounted for £85m in benefit fraud and details that could create some £6bn of identity fraud has been trusted to our rubbish dumps and E-Bay.
‘The black market in personal data is huge,’ confirms Rob Rachwald, director of security strategy, for the intrusion prevention company Imperva. ‘We monitor a lot of hacker forums and on just one there are 250,000 people trading stolen credit card information. ‘From a hacking point of view data from a hard drive would be particularly valuable because there would be no audit trail as to where the data came from, there would be no one within an organisation that you could find who might have supplied the information, so that any attack using data taken from a hard drive literally comes at you from nowhere.’
And companies do not only need to worry about the criminals. Carelessness can now cost far more than the fines that can be levied by the Information Commissioner, the FSA and credit card companies according to Jon Godfrey, a director of Sims Recycling Solutions, which has jointly sponsored the research with BT.
‘Over the Paul McCartney story I was told the reputational loss was estimated by Deutsche Bank, which owned Morgan Grenfell, to be between £10-£12 million, that’s nothing, now there’s a legal obligation to write to everyone involved,’ says Godfrey. ‘Just think about that in terms of the 22m records that Her Majesty’s Revenue and Customs lost. Everyone had a letter written to them at a cost of between 70p and a £1, add legal costs and brand damage and the costs are four times the value of any fine.’
Another data security threat highlighted by the study is the increasingly blurred line between using computers, software, communication devices and passwords at home and at work. This means that that personal and business data become mixed together on the same storage devices, such as hard drives and portable storage devices.
‘For criminals who use information against individuals and businesses, this makes such storage devices doubly attractive,’ says Professor Andrew Blyth of the University of Glamorgan. ‘For example, passwords used in the work environment may often be stored an employee’s home computer or personal storage device for the sake of convenience if they are often working from home. Research carried out by a number of companies into password use has revealed that people will very frequently use the same password for everything that they do.’
Apart from more and better education of the public and businesses about securing their data, the report suggests solutions to the problem of carelessly discarded data. One is to create a rigorous set of standards for data destruction to ensure that all companies who say they will destroy your data for a company actually do so.
‘One of the more worrying trends to emerge from our surveys over the last decade concerns the fact that, in a number of cases, the drives we have examined had been given to a third party to dispose of,’ says Warren. ‘But instead of destroying the data those third parties had simply sold on the drives.’
Another key requirement, say the report’s authors, is greater use of encryption to protect a person’s private or commercial data should it fall into the wrong hands. One approach would be to enable encryption on all new storage devices – either to encrypt, the data at rest on a machine or to introduce a system that enables the end of life encryption of a computer hard drive. This could be enabled by a user when they decide to dispose of their machine.
‘While the CSRI recognises that such protection is unlikely in the short-term, the use of encryption should also be introduced as part of an overall approach to the protection of data and a data audit process,’ says Warren.
The full report is available from the Cyber Security Research Institute. Www.csri.info
Contact us: Peter Warren, Chairman of the CSRI and lead author of the report is available for interview. Contact him on +44 207-100-1389 or via email@example.com.
The Cyber Security Research Institute is a non-profit making body dedicated to the research and dissemination of information about cyber crime and cyber security.
About the study:
The analysis of hard drives was carried out by the Cyber Security Research Institute and Glamorgan University on behalf of the Asset Disposal and Information Security Association.
It involved the analysis of 346 hard drives, 174 discs in the UK, 74 from America, 39 from Germany 17 from France and 42 from Australia. The first survey in 2000 was carried out by Professor Neil Barrett who at the time was working for IRM, Future Intelligence, and Tam. Five successive hard drive surveys were carried out in 2005 by the University of Glamorgan on behalf of Lifecycle Services and involving Future Intelligence. In the final surveys in 2006, 2007, 2008 and 2009 the work of the team was supported by BT and Sims following its takeover of Lifecycle Services.
£399 per report: [buynow id=" 24"="" quantity="input=menu" ajax="on" ]