As everyone in the industry knows, cybersecurity is a hot commodity these days. According to a definition by Techopedia, cybersecurity refers to preventative methods used to protect information from being stolen, compromised, or attacked. There are any number of ways to protect networks and data storage facilities from cyberattacks, and these methodologies are constantly evolving. Just as the flu virus mutates in reaction to vaccines, so do cybercriminals modify their nefarious behaviors in response to cybersecurity enhancements. Therefore, cybersecurity must constantly evolve, becoming more sophisticated and invasive. However, an often-overlooked area of cybersecurity leaves organizations susceptible to data breaches: hardware end-of-life.
Google Data Center, The Dalles, Oregon. Google data centers utilize SEM data destruction devices. Photo courtesy of Tony Webster.
As cloud storage continues to expand at an exponential rate, data centers are popping up all over the globe, and these gargantuan facilities are expected to safeguard the vast amount of data they store. It is now commonplace for data storage facilities to employ a Chief Security Officer (CSO) or a Chief Information Security Officer (CISO) in an effort to stay ahead of hackers and criminals. CSOs and CISOs ensure that data centers are secure and protected by implementing sophisticated products and services including password protection, anti-virus/anti-malware software, software patches, firewalls, two-factor authentication, and encryption methods, all of which come at an extremely high economic cost. According to the 2017 Official Annual Cybercrime Report sponsored by Herjavec Group, it is predicted that global spending on cybersecurity products and services will exceed $1 trillion over the five-year period of 2017 to 2021. Clearly, organizations understand the criticality of a comprehensive data security plan. So why is hardware end-of-life, which is relatively inexpensive in comparison to other cybersecurity spending, not part of this plan?
The answer is simple: a devastating breach has not yet occurred through drive recovery. But it’s only a matter of time.
Airmen from the 341st Communications Squadron at Malmstrom Air Force Base replace worn computer parts, destroy used hard drives, and check system functions as part of their daily operations. The US Air Force utilizes SEM IT destroyers. Photo courtesy Malmstrom Air Force Base.
While it is well understood that recovering files from failed and erased hard drives is relatively simple, much of the evidence in hard drive recovery is anecdotal. Students from various higher learning institutions including MIT and University of Vancouver have conducted studies that found drives sold on eBay to contain sensitive data. Criminals in Africa are well known to salvage old drives from landfills and mine the data for identity theft. Even NAID has conducted a study that found sensitive information on eBay drives. Even more alarming is Idaho Power Company learning that over one third of the drives they had contracted to be destroyed and recycled actually ended up on eBay – along with the sensitive, confidential company and employee data they contained. And there are myriad similar studies and evidence of data recovery from failed or erased drives.
So where is the public outrage and demand for more secure drive disposal? The reality is that there has not yet been a truly significant breach as a result of hardware end-of-life recovery. The NSA has long understood that hardware end-of-life leaves sensitive information vulnerable, and they have strict regulations in place for dealing with information disposal, from paper to optical media to hard drives. But many organizations seem to think that erasure, overwriting, or a quick drill to the drive is “good enough” — dangerous thinking that could not be more erroneous.
SEM’s line of hard drive destroyers eliminate data and meet regulatory requirements.
Truly security-minded organizations understand that the only way to ensure data security and privacy at hardware end-of-life is on-site drive destruction. And while some forward-thinking CSOs and CISOs have already implemented such measures, most have not. It is only a matter of time before a major (read: expensive) breach occurs as a result of end-of-life drive recovery, at which time the masses will demand an explanation as to why drive destruction had not been addressed in the first place. To which I will say, “I told you so.”
Data security is a hot topic these days, and for good reason. In 2017 alone, 1,579 data breaches occurred in the United States with an average cost of $7.35 million per breach. According to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center (ITRC) and CyberScout, the 2017 breaches represent an unprecedented 44.7 percent increase over the record breaking number of breaches in 2016, and the number is only expected to grow. In fact, it is anticipated that the global cost of cybercrime will exceed $2 trillion by 2019, which is three times the 2015 estimate of $500 billion.
The top five categories of organizations affected by data breaches include general business, medical/healthcare, banking/credit/financial, education, and government/military, in that order. These categories certainly make sense since they are the organizations that house the most sensitive, and therefore illicitly valuable, data. It should come as no surprise that of these organizations, government/military rounds out the bottom with less than five percent of total breaches. After all, the federal government understands the need for secrecy, and has set the bar for data security and privacy. Even commercial organizations are now trying to implement best practices originally dictated and instituted by government agencies, including the Department of Defense (DoD), the National Security Agency (NSA), Homeland Security, and the Department of Securities and Exchange.
Data breaches affect the privacy and security of individuals, businesses, and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. Cost per record of a U.S. data breach is an astounding $245, while the average number of exposed records is over 28,000. Add to that the fact that, according to Soha Systems Survey on Third Party Risk Management, 63 percent of all data breaches are linked to third parties such as vendors, contractors, or suppliers, while only two percent of IT professionals consider third party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life which is typically either controlled by a third party IT asset disposition company or ignored altogether, cannot be overstated. The grim reality is that businesses are fully responsible for the data that they collect and store, and a breach resulting from third-party culpability does not deflect liability.
Agbogbloshie, Ghana – Many young men are developing cancer in their 20s as a result of the toxicity of the environment from discarded electronics
It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard in the slums on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. Not only is this area an environmental disaster due to the antimony, arsenic, lead, mercury, and other toxic metals leaching into the water and soil from the electronic devices, it is also a hotbed of sensitive data waiting to be exposed. The discarded computers and electronic devices found in Agbogbloshie come from developed nations around the globe including the United States. Originally pitched to the locals as a means to help with the digital divide, these electronic “donations” actually contain less than 50 percent working computers with the rest being simply electronic trash. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.
Used hard drives being sold on Lamington Road in Mumbai, India
As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22 million dollar U.S. defense contract from U.S. military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA), and Homeland Security. And all of this came from just seven hard drives.
In 2003, two Massachusetts Institute of Technology (MIT) graduate students published a study regarding their purchase of 158 hard drives from places such as eBay and small salvage companies. Of these, 49 contained sensitive information including PII, corporate financials, medical data, and over 5,000 credit card numbers. One of the students, Simson Garfinkel, is now the US Census Bureau’s Senior Computer Scientist for Confidentiality and Data Access and the Chair of the Bureau’s Disclosure Review Board. Prior to that, he was a computer scientist at the National Institute of Standards and Technology (NIST).
In yet another 2003 study, Tom Spring from PC World Magazine acquired ten used hard drives in the Boston, MA area from thrift stores and salvage yards. Nine of these ten drives contained sensitive data including social security numbers, credit card numbers, and banking statements, as well as tax, medical, and legal records. Using the information found on the drives, Spring contacted the original owners of the drives, some of whom had contracted electronics disposal or recycling companies to erase their hard drives.
In 2006, Idaho Power Company learned that 84 of the 230 hard drives they had contracted salvage vendor Grant Korth to sanitize and recycle had actually been sold to third parties on eBay. These drives contained sensitive information including proprietary company information, confidential correspondence, and employee data including social security numbers.
In 2009, Kessler International, a New York based computer forensic firm, purchased 100 drives from eBay over a period of six months. 40 of these drives were found to contain sensitive, confidential, and personally identifiable information as well as corporate financials, personal photos and emails, and even one company’s secret French fry recipe.
In 2014, the National Association for Information Destruction ANZ (NAID-ANZ) published a study regarding their purchase of 52 used hard drives from eBay and other third parties. The recovered drives came from law firms, accountants, medical facilities, educational institutions, and numerous individuals. Data recovered included medical records, social security numbers, tax and financial information, sensitive court case documents, personal photos and videos, bank statements, confidential client information, disability insurance applications including highly sensitive personal financial and medical information, profit and loss statements, employee HR files, company invoices, and spreadsheets including name, address, phone number, salary, DOB, and occupation. Of the drives with recoverable information, over 90 percent of them had deleted or formatted partitions, a clear indicator that the owner had made an attempt to sanitize the data prior to disposal.
We could go on and on.
When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives — and the data they contain — are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third party, simply because of the unknown. In addition to sloppy or greedy third party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber criminals specifically so they can mine the data they contain for illicit activity.
Hard drive being destroyed in a SEM combo shredder
The only truly secure method of IT asset disposition is drive destruction. While it is tempting to make a few dollars per drive by sending to a recycler or attempting to wipe and resell, the potential cost of a data breach far outweighs any financial gain from reselling. The National Security Agency has long known this truth and requires rotational platter based hard drives to be both degaussed (erased) AND physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding, or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.
For decades, the federal government and private businesses have used Security Engineered Machinery equipment to shred paper records, and more recently, computer drives, CDs and other electronic records.
And with sensitive information remaining on old computer hard drives, cell phones and BlackBerries, the Walkup Drive company is expanding into full-service data destruction for clients that want secure handling and destruction of their electronic devices.
Founded in Millbury in the late 1960s, SEM employs 44 and is the largest manufacturer of document- and electronic-disintegration equipment, with its shredding and disintegration machines in use by the Departments of Defense and Homeland Security, in State Department embassies around the world and by the U.S. Postal Service. More than 400 central banks worldwide use the company’s equipment for shredding old currency.
The federal government has been the biggest customer, but private industry is catching up as accidental releases of sensitive data make headlines.
SEM showed a reporter a room the company renovated from warehouse space that now houses machines for shredding computers and other electronic data storage devices. Computer hard drives, keyboards and towers moved up an inclined conveyer about 12 feet, where they were dropped into a hopper and ground into pieces an inch or two in size.
“The federal government is light years ahead of the private sector in security,” Mr. Dempsey said. “A lot of companies have paper shredders. But what happens to a CD or diskette? The government has been doing this for years.
“There is not a piece of equipment here that has not been cleared by the NSA (National Security Agency) for classified destruction,” he said. “Not all companies will spend $25,000 for a machine like this. That’s where this service comes into play. We have people that walk in with one hard drive, and we’ll destroy it and let them witness it.”
Clients who ship their items to SEM can even watch over a designated Web site as their computers or other items are destroyed; some 17 video cameras mounted in the ceiling, and more in the hoppers of the machines, beam images of the process.
“We send it premium freight so it can be tracked door to door,” he said. “Some clients put GPS (global positioning system) inside so they know where it is all the time.”
SEM puts bar codes on the hard drives slated for destruction so the customer can document the process, he said.
Inside a locked cage along one wall were several cases and military transport containers holding computer components slated for destruction.
“We look at ourselves as being in the security business,” Mr. Dempsey said. “We approach our shredding as a security division. We’re interested in hard drives, cell phones, DVDs, CD-ROMs and unconventional items,” including X-rays, he said.
Mr. Dempsey held pieces of a computer that had gone through a disintegrator, noting that they were a couple of inches in length. Some clients require that their magnetic data items be in smaller pieces, and those go into another machine, which tears them into pieces an eighth of an inch in diameter.
He pointed out that a piece of a CD that goes through an office shredder contains much more information than would be printed on a piece of office paper. Sophisticated equipment could be used to retrieve that information, along with data thought to be deleted from hard drives, cell phones and other electronic devices, he said.
In addition to tearing electronic data equipment into small pieces, SEM can also use a method known as degaussing, or erasing electronic data, before destroying it, he said.
“From a private-industry point of view, degaussing is all you need to do,” Mr. Dempsey said. “What we’re now seeing in Fortune 500 companies is that they’re defaulting to the federal government’s standards that are NSA-approved.”
He said that when companies consider the damage that could result from sensitive information being compromised, data security is increasingly in demand.
“We bring credibility to the table,” he said. “We’re in the security business. Quite a few of our employees have obtained clearances. They get a background check. We do DOD work. Anyone in this room would need a clearance,” he said, referring to those working in the company’s destruction service.
All employees are drug-screened and go through background and criminal checks, he said.
Mr. Dempsey would not talk about the private company’s finances, but said it made $20,000 from its destruction services two years ago and $300,000 this year. The demand is growing, he said.
“We’ve seen an explosion from companies with financial and health care” records. “With some of the information compromises that have been in the press, they’re adapting. We know how to deal with those issues. …Crisis management is not proactive. That happens after data has been compromised.”
He said the company spent 13 months renovating the area now used for destruction services. Now, he wants the operation to be deemed a secure facility so that it can take on the federal government as a client. That could take another year, he said.
“So far, we’ve been under the radar, doing this as a favor for our clients.”
Options for the storage and disposal of medical records
As health care organizations endeavor to comply with privacy and security standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), there is growing interest in effective and efficient ways to manage protected medical records – and how to destroy them once they become obsolete.
Neither HIPAA’s privacy standards for paper documents nor its security standards for electronic records dictate specific means of compliance. However, the preamble to Section 164.530 does cite a few examples of appropriate safeguards, such as locking file cabinets that contain protected documents and shredding such documents prior to disposal. For electronic media, Section 164.310 (“Physical safeguards”) requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.”
Each group’s appointed privacy official must decide which procedures and equipment will best prevent unauthorized, unnecessary and inadvertent disclosure of protected information. For storage, this means locked office doors and cabinets, computer firewalls and passwords, etc. For disposal, it means destroying records. No one should be able to dig trashed records out of the dumpster and misuse them. Discarded medical information often is still confidential.
Destruction equipment abounds The market offers a variety of record destruction equipment. Paper shredders come in all sizes, speeds, horsepowers and capacities, but there are three basic choices:
Personal – Desk-side shredders, available on casters for portability, can shred roughly six to 20 sheets at a time. This is convenient for offices with relatively few documents to destroy.
Departmental – Larger facilities with more documents to dispose of may install shredders that can handle 20-50 sheets at a time.
Centralized – A heavy-duty shredder can handle up to 400 sheets at a time and destroy bound reports and thick stacks of paper.
Whatever shredder models your practice selects, you will need protocols for managing shredded waste. Some companies offer regular pickup, transporting the trash to landfills or recycling facilities. Also on the market are powerful disintegrators that use rotary-knife systems to reduce high volumes of books, binders, paper bundles and other bulk materials to tiny particles. Depending on the model, these machines even pulverize CDs, DVDs, floppy discs, microfilm, credit cards, ID badges, tape cassettes and circuit boards, slicing them into indecipherable fragments at the rate of up to two tons per hour. Other machines, designed specifically for optical media, can completely remove data-bearing surfaces from CDs and DVDs. Because they leave inner disc hubs intact, the hubs serve as proof of destruction, eliminating the need for detailed logs and witnesses where certification of destruction is required. Old computers can tell tales Security may become an issue when a practice donates old computers to a school or some other organization. Most people don’t know that when a digital file is “deleted,” the information actually remains on the computer’s hard drive or a formatted diskette, as do deleted e-mail messages and records of online activity. This information is recoverable with sophisticated tools. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives/disks – or particular sections of them -before these magnetic media are discarded or reused. Overwritten areas should be unreadable, but look for a software brand that meets or exceeds the Department of Defense standard for permanent erasure of digital information. When you require absolute certainty in erasing magnetic media, certain degaussers remove all recorded information in a single pass, allowing hard drives, diskettes, audio and video tapes, and four- and eight-millimeter data cartridges to be reused many times with no interference from previous use. Hand-held degaussing wands erase both floppy and hard computer disks. For both electronic and paper records, the variety of equipment on the market today enables a medical practice to tailor record-disposal to its particular needs.
When running any commercial business, department or government organization today, the last thing that you likely want to impact your organization with is a data breach. According to a recent study on the cost of data breaches in the past year, U.S. companies paid an average of $ 5.4 million to cope with the repercussions of data breaches. Don’t allow your organization to become a victim of a data breach. Here are 5 ways to ensure information security in your workplace:
1. MAKE DATA SECURITY A TOP CONCERN
Through simple, easy to follow security policies, you can train your employees on information security best practices. Additionally, you could appoint a safety committee to help keep security issues a focus.
2. KEEP PHYSICAL INFORMATION SECURE
Keep all physical information your company has secured by only allowing certain personnel to handle it. Give keys or passes to only those who need to have access to that information. Keep tabs on who has handled any sensitive documents and when.
3. CREATE A SECURE DOCUMENT MANAGEMENT POLICY
Keep track of all sensitive documents throughout their life cycle and dispose of them based on compliance regulations. Create a data security checklist and make sure all employees adhere to it.
4. DESTROY HARD DRIVES
The only way to be completely sure that your sensitive data will not fall into the wrong hands is to destroy data from hard drives permanently through hard drive sanitization (otherwise known as degaussing), destruction or in some cases both. Be aware that many office electronics, such as copiers and multi-purpose machines, now contain hard drives that store data, not just computers. If you lease office equipment, check with the vendor to make sure that they dispose of media containing data using secure, environmentally sound processes.
5. BRING IN A PROFESSIONAL
At SEM, your business’ information security and well-being is important to us. If your company is required to be in compliance with certain privacy laws or meet even higher secure compliance levels, you probably want to minimize that huge risk of a data breach. At SEM we offer solutions to all of these information security concerns by offering expertise with both a certificate of destruction for data destruction and sanitization of every media type or provide you equipment solutions that will allow you to control your secure destruction program to erase or destroy your organizations data under your own roof.
At SEM, we help businesses and government organizations find real solutions for addressing real information security needs that will reduce their waste disposal costs and improve their environmental footprints, with shredding and recycling service programs that are convenient and secure.
For 50 years SEM has been the largest direct supplier of information destruction and sanitization equipment in the US – where our reputation speaks for itself.
Shredders, disintegrators, briquettors, optical media destroyers, HDD/SSD shredders, HDD crushers and degaussers are critical components of your overall information security program. Keeping these systems in good working order is extremely important, and easy to do with proper user training.
Probably the biggest factor in the longevity of any equipment is tied to proper training in the operation, daily maintenance and preventative maintenance. Depending on your equipment and site there are programs that can train your people to operate, maintain and troubleshoot so you avoid problems and keep the equipment up and running well.
Training can be done at your site with your equipment during a scheduled PM call, on a specific scheduled visit to your site, or at a training facility where factory service reps will go over all aspects of operation, daily maintenance, preventative maintenance as well as, tips and tricks to get the most of your systems and avoid the pitfalls. At the beginning of the training there will be a Q & A to help identify the issues of greatest concern to the group. During the training all participants are encouraged to ask questions and will have the opportunity to get “hands on” so they thoroughly understand the material being taught. After the training and a final Q & A each participant will be given a certificate of completion designating which equipment they were trained on. This is a great way for users to add additional value to their skill sets and company capabilities.
The training can be specialized to cover any and all the issues you may be having with your specific equipment, and discuss in detail how to fix and mitigate these in the future.
Some of the things your users will learn from attending training:
Changing knives, clearing and preventing jams, servicing dust filters, proper lubrication, testing belt tension, aligning conveyor belts, swapping out shredder heads-(depending on equipment) among many others.
The goal is maximizing machine availability for the organization and imparting the skills to help users diagnose and recognize potential issues before they become bigger problems.
And investment in a proper training program will pay dividends in equipment up time and save your organization money in the long run.
This kind of story has replayed thousands of time across our country,
and many people are rightly concerned about their online security.
However, many overlook securing their paperwork. Shredding is a simple, but vital step to safeguarding sensitive paperwork before it ends up in a dumpster. Dumpster diving
is still a major way that identity thieves get the information that can ruin
your life! Simply make sure it is shredded properly with a cross-cut
shredder- shred anything that has a name or an address on it-no
exceptions-even junk mail!
The story below is a classic case of what happens when your discarded
papers give access to an identity thief. This particular story was reported
by the local ABC News affiliate in Tampa, FL about a year ago.
With all the warnings these days to protect your identity when you’re online, John Champion never thought the old tried-and-true method of what police say was dumpster diving by a convicted identity thief could still cause so much trouble.
“There were 12 accounts opened in my name,” Champion recalls. It was a phone call from a detective at the St. Petersburg Police Department that tipped him off, but by that time, it was too late.
In the world of credit, Champion had a good name with an excellent
credit score. Until St. Petersburg Police say 49-year-old Brian Katacinski
found Champion’s vital information in the trash and went to town.
They claim he not only wrecked Champion’s credit, but 12 other victims by opening credit cards and bank accounts in their names. “My credit score went from 748 to 522 in five month’s time,” he says with a look of disbelief on his face.
St. Pete police say when Katacinski didn’t want to get his hands dirty, he cased home mailboxes in the city’s Old Northeast section, looking for outgoing mail stuffed with bills that he knew would be rich with checks and credit card numbers he could duplicate.
Police say Katacinski had plenty of practice. He was busted by federal postal inspectors in 2006 for the same thing. When they arrested him inside his St. Pete motel room this time, investigators say they found several credit cards and check-making materials. Then there were the multiple duplicate drivers’ licenses of his alleged victims.
“Unfortunately, our criminals have the ability to drive around all day and look for those particular signs. Whether your flag is up at a curbside mailbox or your letters are stacking up out of your mailbox,” says St. Pete Sgt. Kevin Smith.
Champion says he was able to recoup some of his lost credit. But all of this was a lesson for him. And he hopes for others. “Shred your paperwork. Don’t put anything out there that’s got your name on it,” he says. And detectives say when it comes to your bills, never put them in your outgoing mail. And better yet, pay them online.
A wide variety of SEM NSA rated paper shredders
Another victim that that could have easily been prevented! John Champion would agree that a good offense is shredding your paper before anyone ever has the chance to see any of your personal data. It is far better than dealing with the ongoing effects of identity theft after it occurs.
As everyone in the industry knows, cybersecurity is a hot commodity these days. According to a definition by Techopedia, cybersecurity refers to preventative methods used to protect information from being stolen, compromised, or attacked. There are any number of ways to protect networks and data storage facilities from cyberattacks, and these methodologies are constantly evolving. Just as the flu virus mutates in reaction to vaccines, so do cybercriminals modify their nefarious behaviors in response to cybersecurity enhancements. Therefore, cybersecurity must constantly evolve, becoming more sophisticated and invasive. However, an often-overlooked area of cybersecurity leaves organizations susceptible to data breaches: hardware end-of-life.
This kind of story has replayed thousands of time across our country,
In the world of credit, Champion had a good name with an excellent