Home Industry Market Data breach problem as recycled computers reveal all

Data breach problem as recycled computers reveal all

Confidential personal and company information including medical records, legal matters, financials, the entire contents of an email inbox and personal mail from a Justice of the Peace are just some of the confidential data found on the hard drives of recycled computers.

The revelation that Australians at both a personal and organisational level are discarding their old computers without wiping all data from their hard drives comes from a two-month study commissioned by global, non-profit data protection agency, the National Association for Information Destruction (NAID).

“For the organisations recycling their drives, this is a data breach problem. For individuals, some of their most private information is at risk,” says NAID CEO Bob Johnson.

NAID randomly purchased 52 recycled computer hard drives from a range of publicly available sources, such as eBay and then asked forensic investigator, Insight Intelligence, to determine whether confidential information was on those drives.

Johnson says the study showed that of 15 of the 52 hard drives purchased, approximately 30% contained highly confidential personal information.

And, while seven of the 15 devices had been recycled by individuals, Johnson said eight had been recycled by organisations, including law firms operating in Victoria and Queensland, a government medical facility, and a community centre.

“All of these firms have a legal obligation to protect the public’s information,” Johnson says, pointing out that the results are “even more alarming given the new Privacy Act reforms that will be effective on 12 March, requiring organisations to up the ante with respect to managing and safeguarding people’s personal information.”

“The study is rather simple. The procedure used to find the information is intentionally very basic and did not require an unusually high degree of technical heroics. Had the data been properly erased, it could not have been found.”

According to NAID, Information on the hard drives included spreadsheets of clients’ and account holders’ personal information, including names, addresses, account numbers, confidential client correspondence, billing information, and personal medical information such as diagnoses, treatment, and prognoses.

“Where the computer hard drives had been previously owned by an individual they more often contained their most confidential personal details, including images of a highly personal nature and account information,” Johnson says.

“Specific examples included, one drive containing detailed legal case records of a difficult family dispute, another with an entire email box with numerous emails and attachments relating to the inner most workings of a medical facility as well as one with signed documents granting access to business and personal mail from a Justice of the Peace.”

“While it might be tempting to dismiss these results given the sample size,” said Johnson, “it is actually very disturbing. When you consider that the Australian Bureau of Statistics most recent estimates put the number of computers retired annually at over 15 million, the likely amount of private data put at risk in this manner is staggering.”

“People from anywhere in the world can buy these drives online, and you can be sure the ‘bad guys’ amongst them know how to use the information for evil. With the viral nature of social media, one can only imagine what could happen if someone decided to share any highly personal images and videos they have found on these drives.”

According to Insight Intelligence Managing Director, Mario Bekes, another “troubling finding,” was that often, where personal information was found, there were “telltale indications that someone had attempted to remove the information but failed to effectively do so.”

Bekes stresses that proper removal of data from computer hard drives “requires more than just pressing the delete button.”

“Even if they try to do it properly, private individuals and businesses take a big risk by attempting to erase hard drives themselves. It is not really a do-it-yourself project.”

Bekes also encourages consumers and businesses to be careful when selecting a recycling service.

“It’s a noble idea to recycle a computer, tablet or smartphone. But it’s important to know the recycling company has the proper technical expertise and takes data destruction seriously. Unfortunately, many recyclers treat data removal rather casually.”

Johnson says NAID is no stranger to similar investigations of recycled computers, pointing out that one year ago another study it commissioned found banks and doctors’ offices were frequently discarding confidential records into commercial rubbish bins. The organisation has also commissioned similar research in the United States, Canada, and Europe.  
“The effective disposal of confidential information is an issue that is easily overlooked,” Johnson said.

“We consider it a public service to remind policymakers and consumers of this ongoing vulnerability. Unfortunately, those who capitalise on easy access to this information are already aware of it.”

According to Johnson, NAID has offered to provide a detailed report of the results, as well as the hard drives themselves, to the Office of the Australian Information Commissioner (OAIC) to facilitate an official regulatory inquiry.

“Should the OAIC decline, the association will ensure the hard drives are securely destroyed to protect those put at risk,” Johnson concluded.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).