NSA EPL Archives - SEM Shred

HAMR vs. MAMR: What’s the Difference?

May 14, 2021 at 5:59 pm by Amanda Canale

Before we get into the nitty gritty differences between HAMR and MAMR and what they are, we want to give a quick refresher on hard disk drives (HDDs) and solid state drives (SSDs).

HDDs

Hard disk drives (HDDs) are a type of data storage device that use rotating disks, platters, and magnetic material to store and retrieve data. HDDs also contain actuator arms that read and write data while the rotational platters spin. While HDDs are cheaper and can store more data than their counterpart the SSD, they are slower and susceptible to data loss when interacting with magnets due to their internal magnetic material.

When it comes to destroying end-of-life HDDs, SEM always suggests best practices per the National Security Agency (NSA). Depending on the information stored on HDDs, they should always be destroyed either by shredding or crushing; however, if a drive contains classified information, degaussing prior to destroying the drive is required. Degaussing is the process by which a drive’s magnetic field is essentially scrambled, making the data and drive completely inoperable. Once degaussed, the drive should then be crushed or shredded by an NSA approved crusher or shredder. Combined, this is by far the most secure method of data sanitization for HDDs.

SSDs

Solid state drives (SSDs) are another type of data storage device that store data using integrated circuits. Unlike HDDs, SSDs do not include an actuator head and instead store information into cells that can be retrieved instantaneously. SSDs are also quite faster than HDDs, causing computers to run much more quickly. The downside? SSDs store less data per drive and can be significantly more expensive.

Since SSDs do not contain magnets, they cannot be degaussed. Therefore, they must be destroyed by a machine that is SSD-specific given the necessary final particle size. The final particle size is crucial to ensuring that none of your SSDs’ information is left behind. Since SSDs do not contain rotational platters, any small chip that is not destroyed can potentially contain proprietary information and get into the wrong hands. The NSA requires that end-of-life SSDs containing classified information be destroyed to a final particle size of 2mm or less. Drives containing other kinds of information can be destroyed in an SSD disintegrator, shredder, or crusher.

Now let’s get to it! Technical lingo aside, the two main techniques used to increase a hard disk drive’s capacity are adding more platters to the drive in order to increase its density, or adding more bits (or pieces of data) on a disk. Heat-assisted magnetic recording (HAMR) and microwave-assisted magnetic recording (MAMR) are just two steps in the evolutionary trajectory of data storage management.

HAMR

Since the media must be heated as data is being written, heat-assisted magnetic recording (HAMR) uses laser-powered heat to the drive’s grains, reducing the drive’s magnetic hardness. This process allows the drive to flip its magnetic polarity, and therefore bit value, through the temperature changes. This method uses recording material that is less prone to thermal instability, leading to smaller recording bits in HDDs, and greater stability and reliability of media.

MAMR

Microwave-assisted magnetic recording (MAMR) uses a different technique to essentially accomplish the same goal. Instead of laser-powered heat, MAMR uses 20-40 GHz frequencies to bombard the HDDs disk platter with circular microwave fields. During this method, the drive’s actuator head uses a spin-torque oscillator that creates an electromagnetic field near the write pole at a lower magnetic field that enables denser and more reliable drives. Unlike HAMR, MAMR can flip the domain’s magnetic polarity much more easily.

While both methods serve essentially the same purpose of lowering magnetic hardness to increase storage capacity, some experts cannot seem to agree which is more sustainable. While MAMR technology is expected to increase an HDD’s capacity from 4 TBpsi to approximately 40 TB, HAMR can only increase its capacity from 2 TBpsi to between 20 and 40 TB. HAMR supporters claim that the laser technology allows drives to spin for much longer and with fewer issues, whereas MAMR supporters claim that high heat actually causes a drive to burnout faster.

It is important to note that HAMR drives cannot be degaussed at this point. Conversely, MAMR drives CAN be degaussed; that said, a question remains on the required gauss level to fully sanitize MAMR drives. Existing degausser technology is such that residual data remains on degaussed MAMR drives even when using a 20,000 gauss NSA listed degausser. It is therefore accepted within the industry that existing NSA listed degaussers will be insufficient to sanitize HAMR and MAMR drives and that these drives will need to be either disintegrated to 2mm or incinerated at end-of-life.

How NOT to Destroy Hard Drives

March 2, 2021 at 8:00 am by Amanda Canale

Since the first days of chat message boards and social media profiles, we’ve all heard the saying, “don’t put all of your information online because it never truly goes away.” The same can be said for end-of-life data and information on rotational hard disk drives (HDDs): once information is on there, it’s sometimes near to impossible to fully remove. Aside from implementing a secure, in-house destruction plan, there are many other methods we do not recommend using. Let’s break some of those down.

Recycling and/or Throwing Away

While we support the green initiative in trying to recycle your end-of-life drives, unfortunately, this cannot be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are gold mines for hackers and thieves. On top of that, recycling and waste is not transported securely, making it easy for people to intercept and have access to your most sensitive information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Anything can happen within that length of time! After this period, remnants of your information or data are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will only put your data at more risk.

Deleting and/or Overwriting

One of the more common (and misleading) data destruction misconceptions is that erasing or overwriting the information of an end-of-life drive and degaussing are synonymous with one another. While methods such as cryptographic erasure and data erasure would allow the drive to be used again, it is not a secure and foolproof destruction. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten.

Burning

Burning a hard drive, whether with a blow torch or roasting it on a stick, is highly discouraged. Not only would this require protective gear and holding platters at a safe distance with a heat resistant tool, but burning hard drives will also lead to harmful fumes to be released into the air in the process.

Unfortunately, just because a drive experiences physical damage, it does not mean that the information has taken the same hit. Take for instance the 2003 explosion of the Columbia space shuttle. As the spacecraft made its way into the atmosphere, a piece of the insulation foam had detached, causing it to become enflamed and combust. The horrific disaster resulted in the loss of everyone aboard as the shuttle disintegrated on its way back to Earth.

Just about six months later, a rotational hard drive that was aboard the Columbia was found in a riverbed. It was discovered that the drive had not only survived the initial explosion, but it also survived a 40-mile fall while on fire at terminal velocity and staying in a muddy riverbed for six months. The most interesting part? Even after surviving all of that, it was discovered that 99% of the data that resided on the drive was recovered. It’s safe to say that burning a hard drive is not only harmful to you and the environment but is a tactic that simply won’t work. We suggest sticking to roasting just marshmallows over future fires.

Photo of recovered Columbia space shuttle hard drive

ITAD

ITADs, or information technology asset disposition companies, are third-party vendors that sanitize and destroy end-of-life data and drives. While the appeal of these types of companies can be quite convincing, we at SEM do not recommend utilizing these types of companies when getting rid of your end-of-life data. While there are some reputable ITAD and data sanitization companies out there, the risk may not be worth the convenience. Security risks can be unpredictable and potentially catastrophic as it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, destruction, or disposal. It has also been reported that some vendors sell end-of-life devices and their sensitive information to online third parties.

During the summer of 2020, financial institution Morgan Stanley came under fire for an alleged data breach of their clients’ financial information after an ITAD vendor misplaced a number of drives that were storing personally identifiable information (PII). Instead, we suggest purchasing one of our NSA listed devices, keeping the chain of custody within the company, and conducting all destruction in-house.

Other (Un)Worthy Methods

Submerging the HDD in acid
Using a drive as target practice
Running over HDDs with your car
Giving HDDs a bubble bath
Physical destruction with a blunt object
Attaching industrial-strength magnets

Regardless of the catalyst for end-of-life drive destruction, it is always best practice to conduct destruction and degaussing in-house. While degaussing is not possible for the destruction of end-of-life data on solid state drives (SSDs), SEM recommends always following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to destruction. Solid state drives (SSDs) and optical media cannot be degaussed, so crushing and/or shredding is recommended.

By first degaussing then physically destroying HDDs, companies are choosing the most secure method of data destruction per NSA guidelines as this is the only way to be certain that the end-of-life data has been properly destroyed. When magnetic media is degaussed, our devices use powerful magnetic fields to sanitize the magnetic tapes and drive, wiping all sensitive information from the device. This act renders the drive completely inoperable, which should always be the end goal. Once the device has been degaussed, it should be physically destroyed. The combination of degaussing and physical destruction for HDDs is without a doubt the most secure method of ensuring your end-of-life data stays at the end of its life.

It is also important to remember that a data breach is a data breach, no matter the level of impact. While not all degaussing machines are adequate to demagnetize all rotational hard disk drives, at SEM we have an array of various high security NSA listed/CUI and unclassified magnetic media degaussers to meet any need and regulation.

One Person’s Trash Really is Another’s Treasure

June 15, 2020 at 9:02 pm by Flora Knolton

It is typical for companies to focus more on the security of their digital network than on physical protection of documents and data. Physical security tends to fall by the wayside even though it’s fairly easy for criminals to go dumpster diving. If the organization doesn’t end up losing all important assets in a breach, it’s common it could still suffer from irreversible brand damage. In 2007, Radio Shack dumped more than 20 boxes containing personally identifiable information (PII) for thousands of customers. A man found rummaging through the dumpster found the boxes and reported it. Shortly following, the State of Texas filed a civil lawsuit against Radio Shack for exposing its customers to identity theft. The state’s lawsuit claims the company “failed to safeguard the information by shredding, erasing, or other means, to make it unreadable or undecipherable before disposing of its business records.” Cases like this are common, and identity theft has become a major problem worldwide.

The Recycling Myth

Many believe that recycling is a very different process from trash processing and somewhat safer in terms of data security. This understanding is far from the truth. People mostly understand that trash ends up in landfills where anyone could find sensitive material. At the same time, many people often think that recycling is safer for confidential documents since they will be destroyed and repurposed instead of being shipped to a landfill. In actuality, recycling is not transported securely. In fact, recycling trucks look like every other garbage truck, where documents and other personally identifiable information (PII) will be blowing around in the truck before being dropped off at the recycling facility. On average, recyclables sit on sorting floors from anywhere from 2-4 weeks before being destroyed. The remnants don’t sort themselves either; dozens of employees’ sort what the machines cannot and will have access to documents before they are destroyed. As opposed to destroying the documents yourself, there is absolutely no way of proving sensitive information has been destroyed when you send it to the recycler.

Protect the Customers and Employees, Protect the Business

Consumer privacy legislation has been increasing around the United States within the last few years. Recent laws such as the NY SHIELD Act and the California Consumer Privacy Act (CCPA) are giving consumers more rights relating to their access and deletion of sharing personal information that is collected by businesses. These laws give consumers a large amount of freedom over their personal information, which could open up a host of severe penalties and lawsuits for companies that fail to comply with these regulations. This trend is also being seen in other nations such as the European Union’s General Data Protection Regulation (GDPR) and India’s Personal Protection Bill, and it is expected to continue on this uptick everywhere in the near future. Knowing this, there is a heavier weight on organizations to protect customers’ personal and secure information or the company will be at risk for mishandling said information and could be subject to harsh monetary penalties. Employees have the same legal right to privacy as customers and expect their employer to keep their information secure as well. At the end of the day, the stakeholders will pull the most weight, and it’s important to treat their information the same as how you’d want your own sensitive information dealt with/disposed of.

Secure Your Disposal of Records

Businesses have a choice when it comes to how they want to dispose of their paper records, usually weighing the convenience, cost, and legal risks involved with complying to their industries’ standards or regulations. In U.S. government law, secure disposal is required when a record contains classified, controlled unclassified (CUI), or personally identifiable information (PII) such as address, phone number, names, emails, social security numbers, and more that can be used to identify an individual. It’s easy to consider the cost when opting for a third-party shredding company, but can you really be certain that all the documents are being shredded? It’s impossible to tell. Despite widespread adoption of electronic health record systems, most hospitals still use both paper and electronic documents for patient care. Healthcare cyberattacks overall are on the rise, with nearly 32 million patient records breached in 2019. It’s crucial to find a balance between digital security and physical destruction in the workplace. Increasing communication between colleagues so they are informed of appropriate processes can help mitigate potential breaches in regard to disposing of information no longer retained by the institution.

No matter what the industry, at SEM we have many high-quality NSA Listed/CUI and unclassified paper shredders to meet any regulation. For those looking for an eco-friendly device that’s also listed on the NSA EPL for Paper Shredders, we recommend the Model 1201CC High Security Shredder. It was tested oil-free by the NSA for classified document destruction due to its specially designed cutting head that is also fully replaceable, lowering total cost of ownership. Destroying physical data in-house may seem like a costly purchase in the short term but could send up saving a company exponentially in the long run by preventing breach. With regular maintenance, a quality shredder such as the 1201CC can last a lifetime. We’re happy to help answer any questions concerning personal or regulated shredding needs.

Paper and CDs and Drives, Oh My!

May 19, 2020 at 10:00 am by Flora Knolton

When destroying data or media, the goal is to have it rendered useless and left unrecoverable. Destroying data means it’s no longer possible for the files to be read by an application or system. In reality, information can stay on hard drives long after a file has been deleted, so physical destruction should always be a part of the decommissioning process. Consider an investigation by the UK’s information Commissioner’s Office. This study found that one-in-ten second-hand hard drives still contain the original user’s personal information. Of the 200 hard disks they purchased on eBay, 11% contained Personally Identifiable Information (PII), and two of the drives contained enough information to steal the former owners’ identities. More and more companies are being run digitally each year and are depending on electronic media to secure their data, and at the end of their lifecycle, these storage media must be securely destroyed to maintain data security. When destroying data, it’s important for organizations to consider the cost and time while making sure their methods are up to par with industry specific regulations such as General Data Protect Regulations (GDPR), NSA Guidelines for Media Sanitization, and the National Institute of Standards and Technology (NIST) 800-88, to name a few. While cost is a factor, without an investment in such destruction devices, a breach may cost the company exponentially in the long run.

For paper, SEM has many NSA evaluated shredders on the Evaluated Products List (EPL) prepared by the NSA along with Unclassified Paper Shredders and Optical/Mixed Media Destroyers are designed to specifically destroy all different types of e-media like CDs, DVDs, key tape, Blu-ray Discs (BDs), credit cards, ID badges, and key access cards. The Model 0201 optical media shredder is a high capacity optical media shredder listed on the NSA EPL for CD destruction. It accepts classified CDs as well as unclassified DVDs and BDs, is TAA compliant, and includes a basic start-up kit with lubricating sheets and anti-static waste collection bags. The Model 0200 OMD/SSD is similar to the Model 0201; however, it is a slower machine that can also destroy classified DVDs, BDs, credits cards, magnetic stripe cards, CAC IDs, and SIM cards. Compact and easy to use, these two devices are perfect for meeting NSA requirement for various forms of media.

For most magnetic media, a crusher or shredder used on its own can be acceptable, but for classified hard drives they must be degaussed prior to crushing or shredding. Degaussing renders the magnetic media scrambled, unreadable, and unusable. This two-step data sanitization is mandated by the Department of Defense for classified data, and data centers implement this best practice for end-of-life data destruction. Normally, physical destruction alone (either crushing or shredding) is the most common method of disposal for unclassified Hard Disc Drives (HDDs); however, security-focused organizations utilize the DoD’s degauss and destroy recommendation. The Model EMP1000-HS has been evaluated by the NSA and is listed on the NSA EPL for high security degaussers and can be easily transported to the location of media for onsite

erasure and declassification. This degausser is also perfect for commercial users as well as those who prefer to have a built-in verification system ensuring each cycle is degaussed successfully with no error. After degaussing, we’d recommend our Model 0101 hard drive crusher for most lower volume applications. At the touch of a button, the 0101 will deliver 12,000 pounds of force to destroy the internal platter of an HDD. The SEM Model 0101 hard drive crusher is the only unit with a chamber large enough to fit hard drives with mounted rails or handles left on. An alternative to crushing depending on your destruction needs, hard drive shredders like the Model 0300 are ideal for small to medium volumes, while larger devices like our Model 0305 are perfect for enterprise drives and higher volumes. No one offers as many HDD shredders as SEM that are noted on the NSA/CSS EPL as meeting step two of the degauss and destroy mandate.

When destroying enterprise drives in higher volumes, we recommend our enterprise solutions, such as the Model 2SSD solid state drive disintegrator. The 2SSD is composed of a two-stage cutting system to destroy enterprise drives that are larger, heavier, and denser than standard solid state drives. This rugged device can take up to 180 enterprise SSDs per hour at 2mm squared particles. For applications with both HDDs and SSDs, SEM’s HDD/SSD combo shredders are the ideal solution. The Model 0315 HDD/SSD combo system uses specially designed saw tooth hook cutters to chew up rotational hard drives at 1.50” particle size and solid state drives with a particle size of 0.375”. In addition to hard drives, this device will also accept cell phones, optical media, memory sticks, thumb drives, PCBs, and other electronic storage media!

SEM also offers a complete line of all-in-one office solutions that are ideal for the destruction of classified, Unclassified, CUI, and PII in office environments. A perfect all-around media destroyer that is user-friendly for office environments would be our OfficeShredHS for an all-in-one NSA listed paper and optical media shredder that meets the NSA’s 2mm DVD and BD destruction requirement. In addition, we are pleased to offer Comprehensive Office All-In-One Solutions for our SEM direct customers. These solutions are pre-made to fit your specific destruction requirements. Not finding exactly what you need? Do not hesitate to call, email, or chat with us to customize a solution that’s not detailed on our website. We’re always happy to help!

Who is Responsible for End-of-Life Data Destruction?

February 3, 2020 at 6:55 pm by Flora Knolton

Isn’t the IT Department Responsible?
The short answer is no. End-of-life data destruction shouldn’t be an additional responsibility heaped on an IT team that, more than likely, doesn’t have the proper training.

Let’s start with some quick background. By 2020, it is estimated that there will be approximately 40 zettabytes (40 trillion gigabytes) of electronic data and that every user will create 1.7 megabytes per second. To put that into perspective, even with the technological advancements we’re continually making in data transfer, it would take a single user with an average download speed of 44 megabits per second three million years to download and compile all that data!

Given the amount of data being generated and the dissemination of data being increasingly regulated to safeguard individual privacy, expecting an IT team already tasked with maintaining a technological infrastructure to handle data destruction is not only unreasonable and impractical but virtually impossible. Furthermore, proper destruction of private information is so critical (and, quite often, so complex), that in-house protocols need to be rigidly defined and precisely followed to avoid the potentially catastrophic risks of noncompliance.

In short, there’s no place for simply “leaving it up to the IT department” — and certainly no room for relying on misguided assumptions about where data destruction responsibility falls.

Particularly for organizations and businesses that deal with personally identifiable information (PII), classified data, controlled unclassified information (CUI), or other sensitive information, it is crucial to have dedicated and trained technology-security professionals in charge of end-of-life data destruction. Ideally, a team of security experts should formulate, implement, and manage a comprehensive end-of-life data destruction process that ensures all data is destroyed at the proper time and in accordance with the proper security specifications.

But doesn’t data destruction merely involve obliterating hard drives and shredding papers?
Physical destruction is just a portion of the end-of-life data destruction process — and overlooking the rest of it can have extremely severe ramifications. When you’re dealing with personal, sensitive, or classified data, you’re likely under the jurisdiction of laws such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), or either the National Security Agency’s (NSA) regulations regarding classified and sensitive materials or the Payment Card Industry Data Security Standard (PCI DSS) in the United States, to name just a few.

Depending on which regulations apply to your organization, there are different sets of standards regarding how thoroughly data must be destroyed and how long data may be held before being destroyed. There are also varying financial penalties for not adhering to those standards, many of which can be quite steep. For example, Equifax recently had to pay $575 million as part of a settlement related to a data breach in 2017, and British Airways was recently fined the equivalent of $230 million for a breach in 2018.

Bottom line: If you work with personal, sensitive, or classified data, the onus is on you to be aware of all applicable end-of-life data destruction and privacy-protection regulations. In today’s digital age, this issue is such an urgent one that data privacy policies exist in over 80 countries. It is imperative that all sensitive data residing at a company, whether pertaining to the company or to an external partner/third party, be assigned a proper timeline for destruction at end-of-life, and that the data be thoroughly obliterated to the point that it is irreversibly destroyed.

The only way to guarantee that this will happen is to designate the responsibility, oversight, and ongoing supervision to an in-house professional security team (headed by a Chief Security Officer) that is well-versed in data privacy laws and maintains an organized end-of-life data destruction plan and process.

What about assigning responsibility for data destruction to a third party?
Using third-party destruction companies is a risky proposition. Even in instances when you’re issued a certificate of destruction, you can’t be certain data is irreversibly destroyed unless you have actually witnessed the destruction process and unerringly monitored all facets of data transfer. In fact, the internet is rife with studies documenting how often discarded—and supposedly destroyed—hard drives are found containing PII, sensitive, or classified data.

As examples, Blancco Technology Group recently purchased hard drives on eBay from the United States, the United Kingdom, Germany, and Finland. It was discovered that a whopping 42% contained sensitive data and 15% contained PII. In July 2019, the Federal Bureau of Investigation found over one thousand classified Air Force documents in a contractor’s Fairborn, OH, home. (We’ve also touched on similar incidences in previous discussions.)
The lesson is clear: If proper end-of-life data destruction plans and adequately strict supervision protocols were in place, these incidents most likely would have been avoided.

So what do you need to stay compliant?
Simply put, designating professional, in-house security personnel to curate and monitor end-of-life data destruction plans is the strongest defense against data breaches. Furthermore, be sure this security team has the proper equipment to thoroughly destroy data across various media in compliance with all regulations. Companies like SEM sell destruction devices that not only meet but exceed many government standards. If you are unsure of whether your equipment suffices, you can check the NSA’s evaluated products list.

The Case For Outsourcing Destruction

December 21, 2019 at 2:58 pm by SEM

Did you know that business espionage professionals consider a company’s trash dumpster to be the most available source of competitive and private information? This is due to people overlooking what they are throwing in the trash can and not taking information security as serious as it truly is. This is a major concern because any one document could contain important company information or employee information that is harmful if it ends up in the wrong hands.

Depending on your application, there are two options that can help increase your information security:

Option 1: Shred Service -Most commonly used for: Unclassified Applications

Questions to ask prior to signing a contract:

Who are the people destroying my information?
Are they a well recognized company?
Do they perform background checks on all of their employees?
What is the shred particle size?
Am I in compliance with my specifications?
Am I satisfied with the particle?
Is this cost efficient Am I overpaying?
Would it be more feasible to make a one time purchase to buy equipment?

Option 2: Purchase Equipment – Most commonly used for: Sensitive or Classified Applications

Questions to ask prior to purchasing equipment:

What is my volume?
Is this a constant volume?
Will I get a constant use of this machine or am I simply taking care of a purge?
Is this the right equipment for my application?
Does this fit my volume?
Does it have the capabilities that I need?

Although these options have been directed towards paper shredding, always consider that information resides on many different forms of media. There is equipment that is capable of destroying hard drives, tapes (all types), CD’s, DVD’s, floppy discs, zip drives, microfilm etc. So whether a shred service or purchasing equipment fits your application best – always make sure you evaluate your options and take the correct steps towards protecting your companies’ information.

Credit Cards & Identity Theft: There’s More Exposure Than You Might Think

August 19, 2019 at 12:23 pm by Paul Falcone

Beyond convenience, credit cards can also provide the cardholder with the ability to build credit (which is necessary for major purchases like buying a home or car) as well as to earn rewards and cash back. However, credit cards can also pose a major threat for identity theft, and likely in more ways than most realize.

Credit Cards & PII

Do you have a credit card? If so, take it out and look at it for a moment. From a glance, there’s a host of obvious Personally Identifiable Information (PII) that’s printed right on it—your name as well as the primary account numbers (PAN), which include the card number, CVV code and expiration date. This PII is certainly sensitive data and in the wrong hands could be used for credit fraud and identity theft.

However, there is also PII contained on your card where you might not think of it. For instance, PII data such as card holder name, service code, expiration date, CVV code and PIN numbers are also stored in the magnetic stripe of the card. Another unseen piece of technology within your credit card that holds the same PII data is an RFID chip. The only way to tell if your card has an RFID chip is if it has the words “Blink,” “PayPass,” or “PayWave” on it, or else a symbol that looks like a Wi-Fi signal turned 90 degrees clockwise.

RFID chips provide further cardholder convenience by allowing payment to occur simply by tapping the card on a pad near the terminal instead of inserting the card into a reader. Even though security codes for your RFID chip are generated every time you use it, it only takes one time for a criminal with the right equipment to intercept your RFID chip communication as you perform a payment transaction and steal all of this sensitive information. (Although the RFID signal is very weak and can only be read from a short distance of a few inches.)

And, even though your credit documentation is likely kept at home or in a credit app, there’s still the threat of theft from the paper trail or digital-document trail of PII connected to the credit card. This includes statements, bills and other communication mailed or digitally transmitted to the cardholder.

Issuers, Printers & PII

You don’t just get a credit card out of thin air. There are other players involved who will also have access to your PII for the application of the credit line as well as the creation of the credit card itself. Obviously, the financial institution and/or lender company that issued the line of credit and therefore the credit card to the cardholder also has full matching records (stored via print and/or digital media) of the cardholder’s PII to authorize and process card transactions.

What is often overlooked is the generator of the credit card, the security printer company that the financial institution and/or lender works with to create the cards. A printing plate unique to the cardholder is used to create the design, lettering and even some security features that are printed onto the card. This means the printing plate contains a copy of your PII. And the tipping foil that’s used to personalize cards can also have PAN left on the foil after it’s been used.

Proper Destruction of Credit Cards & PII Contained

It goes without saying that consumers must properly shred their expired credit cards and shred, pulverize or incinerate all paper documentation related to that credit card that contains PII. If the documentation is stored digitally, the data and the device need to be properly destroyed via software or hardware to clear the data and by overwriting non-sensitive information, or by degaussing the media and rendering the magnetic field permanently unusable, and by destroying the media by shredding, melting, pulverization, disintegration or incineration.

For a shredder data destruction machine, consumers should follow DIN Standard 66399, at a minimal Level P-5 for the end-of-life destruction of the credit card and ensuing paper documentation. Shredding at P-5 standards ensures the final particle size has a maximum cross-cut surface area of 30mm2 with a maximum strip width of 2mm, or 2x15mm. Shredded data at this size is unlikely to be reproduced even with special equipment.

The financial institution and/or lending institution should practice the same proper end-of-life destruction with their paper and/or digital record trail of the account information containing the consumer’s PII. The financial or lending institution should also ensure that their security printers practice the same standards for the end-of-life destruction of the printing plates and tipping foil used to create the consumer’s card. For these organizations, it’s recommended that they follow DIN Standard 66399 Level P-5, whether it’s for paper or digital media that stores the PII attached to the card and line of credit.

PII Theft Prevention: Complying with Intergraf

In addition to practicing proper data and device destruction when the printing plate and tipping foil reach end-of-life, the security printer should take preventive steps in the creation of the cards and the materials used. One such way to do so is for the security printer to use only printing machinery that’s Intergraf-certified.

Intergraf is a European-based federation for print and digital communication which works to ensure security of the sensitive data stored within those mediums as they’re created. An Intergraf-certified security printer machine provides: a clear structure of requirements and responsibilities, trusted security for printers and suppliers, recognizable reference for governments and industries, prevention of forgery and counterfeiting, maximum security from development to deployment and increased customer confidence and satisfaction.

Intergraf has developed an international standard for security printers and suppliers (.e.g CWA 14641, CWA 15374 and ISO 14298) that also help to direct how these organizations should destroy the printing plates and tipping foil to render them unusable and irrecoverable. For instance, Intergraf stipulates that the destruction standard for printing plates is DIN 66399 P-1, which renders the particle size to a maximum surface area of 2,000mm2, or 12mm strips.

Finding the Right Data Destruction Machine

SEM has both high-volume and high-security shredders that meet the DIN 66399 standards. It’s important to note, too, that SEM recommends on both consumer and commercial level that the machinery is purchased or leased and kept on-site with the consumer or organization. This ensures contact with the sensitive data is limited to only those authorized to receive it.

The NSA EPL: The Policy that Protects Your Data

June 14, 2019 at 6:40 pm by Paul Falcone

In today’s world the amount of personal data that is accessible in your hands continues to grow by the day. As our data grows, so does our security concerns about how our data is accessed and how it should properly be destroyed. Luckily, there is a guideline that continues to update the products that are proven to destroy data to the point of no return: The Evaluated Product List (EPL) by the National Security Agency/Central Security Service.

What is the NSA EPL?

The NSA EPL is a series of lists that breaks down what devices have been tested and approved by the NSA to meet the necessary physical destruction requirements for all types of data bearing media. Some of these final particle sizes for top secret data are a 1mm x 5mm final particle size for paper and a 2mm particle size for DVDs and Blu-ray Discs. There are seven lists total, as well as a guide that cover a variety of devices used to destroy different media that can hold and store sensitive data. The lists are as follows:

NSA/CSS Storage Device Sanitization Manual
NSA/CSS Evaluated Products List for Hard Disk Drive Destruction Devices
NSA/CSS Evaluated Products List for Magnetic Degaussers
NSA/CSS Evaluated Products List for Optical Destruction Devices
NSA/CSS Evaluated Products List for Paper Disintegrators
NSA/CSS Evaluated Products List for Paper Shredders
NSA/CSS Evaluated Product List for Punched Tape Disintegrators
NSA/CSS Evaluated Product List for Solid State Disintegrators

For links to the latest lists, click here.

Why is the NSA EPL Important?

On January 23, 1968 the U.S.S Pueblo was in international waters aiding South Korea and gathering and intercepting codes and messages from the North Koreans when the ship became under siege. Crew members attempted to destroy the cryptologic materials that were used to decode secret messages, with one man being killed and three wounded. The North Koreans ended up seizing the ship and all of its crew, keeping the 82 surviving members crew members captive for 11 months. The event represented the largest single loss of sensitive data in US history. It was this very event that actually inspired the creation of the very first SEM disintegrator, as SEM founder Leonard Rosen sought to find a solution for the navy to destroy data in case this ever happened again.

On February 1st, 2003, the Columbia space shuttle tragically disintegrated upon reentering the earth’s atmosphere after 17 days in space. As the pieces of the shuttle burst into flame and hurled towards Earth at high speeds, a hard rive that contained data from the exhibition landed in a river bed in Texas. This hard drive stayed in the riverbed for over six months through all forms of weather until it was discovered and sent to Ontrack to attempt to recover the data.

A look inside the drive that fell from the Columbia shuttle

After a team of engineers got to work, they were able to reconstruct the rotational drive and recover over 99% of the data on the drive. A drive that fell from outer space, on fire, into a riverbed for over six months was able to have its data recovered.

What do these stories have to do with the NSA EPL? Without a set of standards, what people would consider destroyed, or how people would think data is protected, would be very, very, different from what is actually needed to ensure complete physical destruction. By having these standards and a push for devices that can meet these standards, data that needs to be protected to keep people safe around the world can be properly disposed of. This ranges from your own Personally Identifiable Information (PII) to our nation’s and military’s largest secrets that protect millions of lives.

That means whether it’s designing destruction machines that fit specific dimensions of naval ships, or building a shredder that can destroy hard drives better than falling through the atmosphere, the NSA EPL has the specifications that ensure all data has a proper end-of-life solution.

At SEM, we take pride in being the global leader in high security end-of-life solutions. As such, we are constantly ensuring that our machines are meeting the latest standards provided by the NA, and using our expertise to educate the community at large to keep data of both the government and US citizens safe.

What’s the Scoop on the New NSA DVD/Blu-ray Disc Standard?

January 25, 2019 at 8:03 pm by Heidi White

This past December, the NSA released a complete new set of Evaluated Products Lists for secure document/media destruction devices, all dated 06 November 2018. Such an extensive new EPL posting was quite a surprise to end users and equipment makers. Typically, these lists come out in one at a time, often with years between updates. Seven of them released all at once was unusual and unexpected.

Even more of a surprise was a change in the particle size standard for destroying classified DVD and Blu-ray Discs (BDs). The change, apparent in the new EPL for Optical Media Destruction Devices, states the new standard as “DVDs and BDs to a maximum edge size of 2mm or less.” This sudden change has led to a flood of inquiries at SEM from government organizations, so it seemed a good time to address this particular change.

NSA listed DVD shredder — SEM Model 0202 OMD/SSD and OMD/SSD-C shred optical media to less than 2mm and are listed on the 2018 NSA EPL.

The existing CD particle size standard, “CDs to a maximum edge size of 5mm or less,” was not changed. As a result, looking at the list of products on the EPL, there is a column noting the acceptable materials that indicates whether each device is good for CD, DVD, BD, as well as other non-optical materials for which some of those machines are certified. A key takeaway is that NSA listed optical media destroyers are no longer all the same in terms of what they can destroy. Users will need to check the EPL to make sure all items they want to destroy are approved. This could make for a lot of confusion when looking at products on the market.

Yet another uncertainty is the timeline for users to make a changeover. The EPLs do not give a transition period to switch to new machines, or grandfather the use of existing equipment. In the past, when the NSA changed a standard for shredders or media destroyers, there was some time allowed to comply. So far, there has been no announcement of that for the new DVD/Blu-ray standard, but many government entities are hopeful for such an announcement.

What does this mean for the status of existing optical media destroyers in use and on the market? The change is significant. The great majority of optical media shredders that are in use are no longer shown on the EPL as approved for DVD or Blu-ray. This includes the most popular optical media shredders on the market and almost all document and multi-media disintegrators. Producing a 2mm particle with no oversized particles is simply not possible with those machines.

DVD NSA EPL — SEM Model 0200 OMD/SSD-C is a cabinet version of the NSA listed CD/DVD/BD shredder

Only a few machines on the EPL for optical media destroyers have approval for DVD and BD. Of those, most are solid state media destroyers, which are large, expensive machines that cost $65,000 and up. Users seeking a compact, affordable machine to destroy optical media can choose a machine like the SEM Model 0200 OMD/SSD. Even better is the recently announced version of this machine with a more office-friendly configuration, the Model 0200 OMD/SSD-C. The new version will better suit most customers with its attractive cabinet and better sound proofing for the vacuum versus the tabletop style of the standard version. Both versions of the 0200 grind optical discs (not just the surfaces) into the NSA required particle size, which looks like beach sand. The waste is collected and bagged by a vacuum. These devices are not quite as user friendly as standard optical media shredders, like the SEM Model 0201 OMD. Users who only have CDs, no DVDs or Blu-ray, will surely be happier with a machine like the 0201 OMD.

As an aside, another change on the optical media destruction device EPL, and the other EPLs, is that the NSA is no longer publishing official throughput rates. In recent years these rates were on the EPLs. This was a way for folks to check the claims made by vendors on capabilities. The EPLs now direct users to the manufacturers to get throughput data. In terms of optical media, the rating in question is the number of discs per hour.

At the end of the day, the NSA EPL is the golden standard for all types of secure data destruction, whether government or commercial, and must be followed for the destruction of classified and top secret data. SEM has over 50 years of experience with the destruction of sensitive and secret data and is here to help anyone who has questions on or needs assistance with the new EPLs.

Bob Glicker, Mid-Atlantic Regional Sales Manager, has over 35 total years of sales experience with over 23 years of targeted government sales experience. Bob prides himself on providing the highest level of service to his government clients, and he enjoys working with key resellers. Bob received his BS in Chemistry from the University of Maryland, College Park. In his free time, Bob enjoys a variety of activities including gym workouts, cycling, reading, and listening to podcasts. He is also an avid science lover, an amateur juggler, a vegetarian, and the quintessential family guy.

SEM Shred

Tag: NSA EPL