Tag: ITAD

Debunking Hard Drive Destruction Misconceptions

September 9, 2020 at 2:18 pm by Amanda Canale

In October 2019, Blancco, an international data security company, released an article discussing various end-of-life data destruction methods and comparing drive destruction to data erasure. While we agree with some of what was written, we’d like to clear up a few things.

In the article, Blancco recommends weighing the level of impact certain end-of-life data can have in the case of a data breach combined with how quickly the data may age out. They then suggested basing the method of sanitization off of that assessment. We want to stress that there should never be an assessment of this nature when handling sensitive, confidential, or personally identifiable information (PII). It is always best practice to treat all end-of-life data as never aging out and having a potentially high level of harm if breached as both can be impossible to predetermine. Remember, there is no statute of limitations when it comes to data breach, meaning that an end-of-life drive can cause a breach years after it was discarded.

While some companies argue that drives should be reused as a more economical option, we disagree. By reusing devices, a company risks that leftover unencrypted or encrypted data getting into the wrong hands. Companies should future-proof their end-of-life data destruction procedures to ensure the prevention of future data breaches. This will not only save them time and money in the long run but prevents any damages to their customer base and reputation. (It’s better to be safe now than sorry in the long run!)

Blancco also notes that using a third-party vendor to sanitize and destroy end-of-life data and devices is an option. Morgan Stanley recently came under fire for the alleged data breach of their clients’ financial information after an ITAD (IT asset disposition) vendor misplaced a number of various computer equipment that were storing customers’ personally identifiable information (PII). Even though Blancco suggests carefully researching and vetting the vendors to ensure they are properly destroying your devices, introducing a third party significantly increases the chain of custody and companies face a far higher risk of data breach every step of the way when opting for this route.

While there are some reputable data sanitization vendors out there, it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, and in the actual acts of destruction and disposal. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties. We suggest getting rid of ITADs altogether if they’re part of your device destruction procedure simply because the security risks can be unpredictable and potentially catastrophic. Instead, we suggest purchasing one of our NSA listed devices, keeping the chain of custody within the company, and conducting all destruction in-house. You can read more of our thoughts on Morgan Stanley’s data breach here.

information-destruction

A common data destruction misconception is that erasing or overwriting a drive and degaussing are synonymous with one another. Unfortunately, that kind of thinking can quickly become dangerous depending on the kind of information you are looking to destroy. While methods such as cryptographic erasure and data erasure would allow the drive to be used again, as Blancco suggests, you run the high risk of leaving behind sensitive data which can become a gold mine for hackers and thieves.

While degaussing is not possible for the destruction of end-of-life data on solid state drives (SSDs), SEM always recommends following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to destruction. Solid state drives (SSDs) and optical media do not require it as part of the destruction process but crushing and/or shredding is recommended. By degaussing HDDs, companies are choosing the most secure method of data sanitization per NSA guidelines as this is the only way companies can be certain that their data has been properly destroyed. When magnetic media is degaussed, the machines use powerful magnetic fields to sanitize the magnetic tapes and drive, wiping all sensitive information from the device. This act renders the drive completely inoperable, which should always be the goal.

Once the device has been degaussed, it should be physically destroyed. The combination of degaussing and physical destruction for HDDs is without a doubt the most secure method of ensuring your end-of-life data stays at the end of its life. Not even the most skilled of hackers will be able to get any information off of the drive, simply because there’s nothing left on it to hack!

Regardless of the catalyst for end-of-life drive destruction, it is always best practice to conduct destruction and degaussing in-house. It is also important to remember that a data breach is a data breach, no matter the level of impact. Blancco writes that, “not all degaussing machines are adequate to the task of demagnetizing all HDDs.” They’re right.

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.

Think Your End-of-Life Data is Destroyed? Think Again!

August 25, 2020 at 9:00 am by Amanda Canale

When it comes to our personal data, some companies will go above and beyond to obtain it. Unfortunately, some companies don’t always take the same time and care when it comes to the destruction of that data. Recently, Morgan Stanley has come under fire for the possible data breach of their clients’ information. On July 10, the financial institution issued a statement to their clients that there were, “potential data security incidents” related to their personal information.

The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ personally identifiable information (PII).

data-privacy-day

A company like Morgan Stanley risks data security breaches every step of the way when opting for a third-party route; this can not only cause irreparable damage to their clients but to their brand as well. The belief that recycling hard disk drives (HDDs) and solid state drives (SSDs) is best practice, can, unfortunately, lead to major consequences.

While there are some reputable data sanitization companies in existence, if a company chooses to utilize an ITAD vendor instead of conducting end-of-life destruction in-house, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle or misuse drives when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. Some contracted salvage vendors have even been known to sell the equipment they are given to online third parties.

It is a scary but common misbelief that simply erasing drives clean is enough to keep your information safe. When erasing data off of a drive, it’s possible that unencrypted and encrypted information can linger and be easily accessible by hackers. Morgan Stanley chief information security officer, Gerard Brady, wrote, “The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form.”

While Morgan Stanley has issued a statement promising that they will pay for two years of credit monitoring for their customers whose data may have been breached, it frankly isn’t enough for some clients as this possible breach may not affect them until much later.

“There is no statute of limitations on future data breaches,” writes Bob Johnson of the National Association for Information Destruction (NAID). “If a hard drive turns up five or 10 years down the road with personal information on it, it is still a data breach plain and simple. Ignoring missing or improperly wiped electronic media today simply means there are a bunch of time bombs floating around.”

It is this particular reason why we at SEM stress that all hard disk drives be degaussed and destroyed and done so in-house. When destroying data in-house, companies can be positive that the data is successfully destroyed whereas when given over to a vendor, the company forfeits any and all oversight. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment simply because it is impossible to be certain that all data has been destroyed otherwise. This can in turn potentially save the company more time and money in the long run by preventing breach early on.

While Morgan Stanley was unaware of the dangers that come with hiring third party data sanitization companies, they, along with their clients, are unfortunately the ones who are left to suffer the consequences of the vendor’s negligence.

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your personal or regulated destruction needs.

(To read more about how one’s trash can easily become another’s treasure, read one of our previous blog posts here.)

The Criticality of On-Site Data Destruction in Secure IT Asset Disposal

November 21, 2018 at 3:38 pm by Heidi White

PII-securityAs the world marches inexorably towards a completely digital future, there is an ever-increasing demand for cloud-based data storage. To accommodate this digital sprawl, expansive data centers are being built at a rapid rate, with their servers continuously writing and overwriting data onto increasingly dense hard drives, with absolutely no downtime. As a result, data centers are constantly removing and replacing hard drives as they fail. The big question: what happens to the old drives?

The answer is not a simple one. Several methodologies are utilized for end-of-life data disposal, many of which are determined by security compliance requirements — such as NSA, NIST, HIPAA, and more recently GDPR— as well as health, safety, and environmental standards. In addition, volume of e-waste and drive type also come into play when determining the best solution for IT asset disposition, or ITAD. Regardless of the methodology employed, the commonality of secure ITAD is the critical importance of complete data sanitization.

cybersecurityNews stories on data breaches, cybersecurity threats, and compromised personal information have become a daily occurrence, and both rotational hard disk drives (HDDs) and solid state drives (SSDs) store vast amounts of data on small surfaces. Even when these devices are cracked, scratched, or broken, data is still retrievable from remaining fragments — as long as the remaining pieces are large enough. Drilling into a platter-based hard drive or snapping a solid state drive into several pieces is largely ineffective at preventing the possibility of data retrieval. Likewise, erasure, overwriting, and/or reuse of hard drives is a completely inadequate method of end-of-life data disposal. Erasure and overwriting frequently miss small blocks of data on the drive, making reuse an absolute security disaster. Even small amounts of personal or sensitive data left on a drive can result in catastrophe if the device is compromised. Any company truly concerned about secure ITAD understands that total destruction of the drive is the only acceptable option.

HDD and SSD destruction is accomplished through crushing, shredding, or disintegration of the drive, and the ultimate solution is largely dependent upon drive type, volume, and security requirements. In addition, convenience, operator health and safety, space limitations, user interface, noise concerns, and budget also have an impact. Choosing the right solution isn’t as simple as picking a shredder from a catalog, and instead requires a comprehensive situational consultation and assessment. Because most manufacturers of data destruction devices don’t offer consultative services, many data centers, hospitals, educational, and financial institutions find themselves frustrated with the process and instead turn to outside vendors to manage their data destruction – a decision that invites the potential for serious consequences.

Third party data destruction services are available as either off-site or on-site. Off-site services pick up discarded drives at the client’s location and transport them to a data destruction center. The inherent risk with off-site data destruction is three-fold:

  1. Allowing drives with live data to leave the premises increases liability.
  2. Some less-than-savory off-site destruction companies have been known to employ questionable business practices. For example, one company caught their disposal vendor trying to outsource destruction to a third party, and then caught a different vendor selling off old devices rather than destroying them, even though their contract explicitly said not to do so.
  3. The extended chain of custody with off-site destruction exacerbates risk.

Third party on-site data destruction is a better option, but still carries with it some uncertainty. Third-party destruction services only provide the most commonly utilized destruction devices; therefore, unique devices and more stringent regulatory requirements present challenges to many third-party providers. In addition, drives still physically leave the premises and are in the hands of people not in the drive owner’s employ. Unfortunately, the introduction of each and every outside element adds a layer of risk that exponentially increases liability.

degauss-destroy
SEM’s degauss, destroy, document bundle provides audit-proof peace of mind for secure information end-of-life. NSA listed and NIST compliant.

Clearly, the safest, most secure methodology for sensitive end-of-life asset disposal is in-house, on-site hard drive destruction. Fortunately, solutions exist that readily meet the strictest regulatory, health, safety, and environmental requirements, as well as accommodate today’s more rugged enterprise drives and ever-increasing drive volume. Shredders and disintegrators are available with different final particle shred sizes, horsepower, throughput, and even noise level, and degaussing and crushing solutions are available that meet even the NSA’s stringent two-step requirement for secure HDD disposal. The most demanding organizations will even find the availability of comprehensive in-house documentation options that provide a fully audit-proof destruction paper trail for meticulous record-keeping that mitigates liability.

SEM has over 50 years of industry experience. Click for timeline.

One question remains: what is the best in-house data destruction setup? The reality is that there is no easy answer. Determining the most efficient and effective solution can pose a challenge without proper guidance, and most data destruction solution providers have limited depth of expertise. After all, the demand for large-scale secure data destruction is relatively new, as data centers didn’t even exist until the early 1990s. Having been in the secure information destruction business since 1967, SEM provides a unique approach to end-of-life ITAD by working as a trusted partner with our clients, who benefit from our extensive industry knowledge and decades of experience with top secret government clients and their demanding destruction requirements. The good news is that once the most cost-effective and secure in-house data destruction solution has been determined, security-focused organizations enjoy the ultimate in data protection, efficiency, and peace of mind.

Data Security and Third Party IT Asset Disposition – a Paradox

November 17, 2018 at 4:29 pm by Heidi White

Data security is a hot topic these days, and for good reason. In 2017 alone, 1,579 data breaches occurred in the United States with an average cost of $7.35 million per breach. According to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center (ITRC) and CyberScout, the 2017 breaches represent an unprecedented 44.7 percent increase over the record breaking number of breaches in 2016, and the number is only expected to grow. In fact, it is anticipated that the global cost of cybercrime will exceed $2 trillion by 2019, which is three times the 2015 estimate of $500 billion.

financial-dataThe top five categories of organizations affected by data breaches include general business, medical/healthcare, banking/credit/financial, education, and government/military, in that order. These categories certainly make sense since they are the organizations that house the most sensitive, and therefore illicitly valuable, data. It should come as no surprise that of these organizations, government/military rounds out the bottom with less than five percent of total breaches. After all, the federal government understands the need for secrecy, and has set the bar for data security and privacy. Even commercial organizations are now trying to implement best practices originally dictated and instituted by government agencies, including the Department of Defense (DoD), the National Security Agency (NSA), Homeland Security, and the Department of Securities and Exchange.

Data breaches affect the privacy and security of individuals, businesses, and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. Cost per record of a U.S. data breach is an astounding $245, while the average number of exposed records is over 28,000. Add to that the fact that, according to Soha Systems Survey on Third Party Risk Management, 63 percent of all data breaches are linked to third parties such as vendors, contractors, or suppliers, while only two percent of IT professionals consider third party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life which is typically either controlled by a third party IT asset disposition company or ignored altogether, cannot be overstated. The grim reality is that businesses are fully responsible for the data that they collect and store, and a breach resulting from third-party culpability does not deflect liability.

digital-dumping-ground
Agbogbloshie, Ghana – Many young men are developing cancer in their 20s as a result of the toxicity of the environment from discarded electronics

It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard in the slums on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. Not only is this area an environmental disaster due to the antimony, arsenic, lead, mercury, and other toxic metals leaching into the water and soil from the electronic devices, it is also a hotbed of sensitive data waiting to be exposed. The discarded computers and electronic devices found in Agbogbloshie come from developed nations around the globe including the United States. Originally pitched to the locals as a means to help with the digital divide, these electronic “donations” actually contain less than 50 percent working computers with the rest being simply electronic trash. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.

used-hard-drive
Used hard drives being sold on Lamington Road in Mumbai, India

As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22 million dollar U.S. defense contract from U.S. military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA), and Homeland Security. And all of this came from just seven hard drives.

In 2003, two Massachusetts Institute of Technology (MIT) graduate students published a study regarding their purchase of 158 hard drives from places such as eBay and small salvage companies. Of these, 49 contained sensitive information including PII, corporate financials, medical data, and over 5,000 credit card numbers. One of the students, Simson Garfinkel, is now the US Census Bureau’s Senior Computer Scientist for Confidentiality and Data Access and the Chair of the Bureau’s Disclosure Review Board. Prior to that, he was a computer scientist at the National Institute of Standards and Technology (NIST).

old-hard-driveIn yet another 2003 study, Tom Spring from PC World Magazine acquired ten used hard drives in the Boston, MA area from thrift stores and salvage yards. Nine of these ten drives contained sensitive data including social security numbers, credit card numbers, and banking statements, as well as tax, medical, and legal records. Using the information found on the drives, Spring contacted the original owners of the drives, some of whom had contracted electronics disposal or recycling companies to erase their hard drives.

In 2006, Idaho Power Company learned that 84 of the 230 hard drives they had contracted salvage vendor Grant Korth to sanitize and recycle had actually been sold to third parties on eBay. These drives contained sensitive information including proprietary company information, confidential correspondence, and employee data including social security numbers.

In 2009, Kessler International, a New York based computer forensic firm, purchased 100 drives from eBay over a period of six months. 40 of these drives were found to contain sensitive, confidential, and personally identifiable information as well as corporate financials, personal photos and emails, and even one company’s secret French fry recipe.

NAIDIn 2014, the National Association for Information Destruction ANZ (NAID-ANZ) published a study regarding their purchase of 52 used hard drives from eBay and other third parties. The recovered drives came from law firms, accountants, medical facilities, educational institutions, and numerous individuals. Data recovered included medical records, social security numbers, tax and financial information, sensitive court case documents, personal photos and videos, bank statements, confidential client information, disability insurance applications including highly sensitive personal financial and medical information, profit and loss statements, employee HR files, company invoices, and spreadsheets including name, address, phone number, salary, DOB, and occupation. Of the drives with recoverable information, over 90 percent of them had deleted or formatted partitions, a clear indicator that the owner had made an attempt to sanitize the data prior to disposal.

We could go on and on.

When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives — and the data they contain — are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third party, simply because of the unknown. In addition to sloppy or greedy third party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber criminals specifically so they can mine the data they contain for illicit activity.

SSD-shredder
Hard drive being destroyed in a SEM combo shredder

The only truly secure method of IT asset disposition is drive destruction. While it is tempting to make a few dollars per drive by sending to a recycler or attempting to wipe and resell, the potential cost of a data breach far outweighs any financial gain from reselling. The National Security Agency has long known this truth and requires rotational platter based hard drives to be both degaussed (erased) AND physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding, or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.