Tag: SEM

Are Printers and Copiers Stealing Your Information?

August 2, 2021 at 6:15 pm by Amanda Canale

Copiers, printers, and document scanners are just as much office staples as any other piece of equipment (aside from, probably, an actual stapler). While these kinds of devices are not programmed to typically store any sensitive data, they may be harboring more data than you think. Everything from new employee records, tax forms, HR documents, and other kinds of personally identifiable information (PII) and unclassified or classified information are just ticking time bombs. In this blog, we discuss how hackers can tap into your copiers and scanners and steal your private information.

Since approximately 2002, most digital copiers and printers use hard drives that store and manage all the data, documents, and images you are copying, printing, and scanning. Mix that with their web-based interfaces, and now your office serves as the perfect cocktail to lure in online hackers. (In layman’s terms, this means that your copies are essentially giant computers and vulnerable to all sorts of cyber-attacks!)

Most digital copier manufacturers offer some sort of data security feature that involves encryption and/or overwriting to ensure the safety of whatever information you are printing, copying, or scanning. So hopefully, your office’s IT department has already either installed the software to protect you and your data from cyber-attacks or has a system in place to securely sanitize that data. It’s important to discuss your device’s security features with your IT department since each device is different; you should know whether your device’s memory is automatically wiped, needs to be manually wiped on a preset schedule, or another option altogether.  Depending on what those features entail, a schedule should be set in place to ensure a routine is followed.

Some practices you and your team can integrate into your routine are using authentication or additional verification methods that include a mix of a password, card swipe, biometric information, or other similar methods. By implementing more preventive measures, you can help lower your risk of cyber-attacks.

Remember when we said that copiers are essentially giant computers? Well, that also means that their hard drives work the same as computer drives in that overwriting a drive is vastly different than reformatting or deleting. According to the Federal Trade Commission (FTC), simply deleting the data or reformatting the copier’s hard drive “doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.” Like other hard disk drives, methods such as cryptographic erasure and data erasure would allow the drive to be used again, but these are not secure and foolproof destruction methods. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten. (You can read more about how not to destroy hard drives in our previous blog post.)

When it comes time to destroy your copier’s end-of-life hard drives, it is always best practice to conduct destruction and degaussing in-house. To ensure the secure destruction of your data, SEM recommends always following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to physical destruction in a shredder or crusher.

By degaussing the drive prior to physical destruction, organizations are choosing the most secure method of data destruction per NSA guidelines as this is the only way to be certain that the end-of-life data has been properly destroyed. When magnetic media is placed in one of our degaussers, powerful magnetic fields essentially scramble and sanitize the magnetic tapes and drives, eliminating all sensitive information from the device. This crucial step securely renders the drive completely inoperable. Once the device has been degaussed, it should be physically destroyed. This two-step method of degaussing and physical destruction — mandated by the NSA for classified media — is without a doubt the most secure method of sanitization for magnetic media such as HDDs.

Solid state drives (SSDs) and optical media cannot be degaussed, so it is critical that each and every chip on a solid state board is destroyed in order to properly sanitize the data. Depending on media type,  crushing, shredding, or disintegrating is recommended. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM, we have solutions to securely destroy any type of media on any type of device, ensuring your end-of-life data stays where it belongs: at the end of its life.

 

Your Phone Knows What You Did Last Summer: 8 Places Your Data is Living That May Surprise You

July 6, 2021 at 8:00 am by Amanda Canale

According to a 2018 study by MightySignal, there are more than 1,000 different mobile apps available that contain some sort of location-sharing and tracking code. These codes are typically used to gather information on the public’s shopping patterns to help developers make money on targeted ads. Unfortunately, this isn’t the only kind of data some of them are gathering. In this blog, we break down eight different places your data is living that may surprise you.

Dating Sites/Apps

We all want to find love, and today with a plethora of dating apps available, it’s never been easier. However, you may be telling potential partners and app developers more than what’s in your dating profile. Apps such as Tinder and Hinge request and require access to your location in order to find potential matches in your general area.

While filling out your likes and dislikes, your location, and what you do for work may be normal things to share with your dates, putting them on your public profile for all potential suitors to see can potentially cause more harm than good. Not to mention, a large chunk of dating apps ranging from Tinder and Plenty of Fish to Hinge and OKCupid are owned by one single company: Match Group. Match Group’s numerous apps reserve the right to share data with one another, even if you’re only using one of their apps.

Photo Editing Apps

Whether it’s adding bunny ears, erasing a blemish, or making your selfie look like it was taken on a vintage Polaroid, everyone loves a good photo filter. However, most photo filter apps require, or at the very least request, access to your entire camera roll rather than the one photo you want to edit. (Remember the saying, “a picture tells a thousand words?” Imagine what kind of personal information your entire camera roll can share!) In addition, many photo editing apps also link to social media apps, not only making way for a seamless snap, edit, and post, but securing a direct access link to all your social media profiles for potential hackers.

Young woman working with a laptop. Female freelancer connecting to internet via computer. Blogger or journalist writing new article. Close-up of female hands typing on keyboard

Weather Apps

Rain or shine, there’s always a small risk your data could be leaked. While you’re not at a moderate or high risk of your data being stolen from your favorite weather app, your location and location history is still being tracked and can be collected from other apps if they are linked together.

Social Media Accounts

Since the early 2000s, the popularity of social media profiles has grown exponentially, with the most popular ones being Facebook, Twitter, Instagram, and Snapchat. It’s now commonplace in our society for social media users to document their entire lives online in the form of vlogs, blogs, and TikToks, meaning there’s less and less of our lives that aren’t posted online. As more people share more and more personal information, the more push there is for stricter user privacy laws and regulations.

It’s always best practice to not share too much information online that can be personally identifying, such as your address, personal contact information, work location, etc. Utilize your social media accounts’ and mobile devices’ privacy settings, and remove any contact information and data from the social media sites you no longer use.

Gaming Apps

In 2018, a COPPA (Children’s Online Privacy Protection Act) study found that in approximately 20% of children’s apps, developers included code that collected and distributed personally identifiable information (PII) without confirming parental consent. The information often gathered by these apps range from the child’s name and email address (or parent’s depending on whose device is being used), home and mailing address, and parent information.

Mobile Wallets

Mobile wallets are a hassle-free way to pay for groceries, gifts, and more without having to dig through your wallet or purse to find your credit cards. It’s convenient being able to store all of your payment options in one place, just make sure to protect it when it comes to the safety of your digital wallet. Be sure to enable your phone’s security features, protect your phone and digital wallet with a password, fingerprint, or other authentication method, and avoid using public Wi-Fi when accessing sensitive data.

data-theft

Rental Cars (Smart Phone Connection)

You may want to rethink syncing your driving playlist or connecting your GPS to your rental car on your next road trip. If you connect to your rental car via Bluetooth, your rental car can store previous locations, phone number, call log, and even contacts, making it much easier for the next renter to hack your information. Make sure you check your permissions, avoid connecting your mobile device to the car’s infotainment system, and delete any information from the system before returning the car.

Old Laptops and Drives

By now, we all know that simply erasing information from a laptop, tablet, or drive is not enough to keep your information safe. When erasing data off a drive, it’s possible that unencrypted and encrypted information can linger and become fair game for hackers. While methods such as cryptographic and data erasure would allow the drive to be used again, it is not a secure and foolproof data destruction method. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten.

Unfortunately, as we get further into the Digital Age, the more personal information we are knowingly (and unknowingly) sharing, the more information developers are collecting about us, and the higher the chances are of a potential data breach. While many apps, developers, and businesses claim to only be interested in tracking the public’s patterns and not identities, the information they are gathering can technically be described as personally identifiable (PII). Tracking an individual’s location as they go to work, the gym, home, and even their doctor’s office can easily lead to identifying individuals. The average app, whether Android or Apple, has approximately six different data trackers embedded into it while some applications request access to more information than what is needed.

We understand that not every app or rental car company is trying to steal your data; apps that track jogging routes or utilize the option to share your location with your loved ones serve legitimate purposes. We at SEM stress that individuals should opt for the “Ask App not to Track” option in their device’s personal settings, only share their information with legitimate apps, and be mindful about where they offer up their information.

To sanitize your end-of-life laptops and drives, we recommend revisiting some of our old blogs on hard drive destruction misconceptions and ways to NOT destroy your drives for more information. Regardless of the catalyst for your drive destruction, it is always best practice to conduct destruction and degaussing in-house and to follow NSA standards. At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation.

Announcing New Merchants Fabrication Production Supervisor

June 28, 2021 at 5:51 pm by Amanda Canale

SOUTHBRIDGE, Mass., Merchants Fabrication, Inc. (MFI), a full-service metal plate and structural shape manufacturer specializing in the machine building industry, is pleased to announce that Voytek Knara has been promoted within the company as Production Supervisor.

“Voytek has been an integral member of the MFI team for over a decade and has played a key role in our success thus far,” comments John Bernier, MFI General Manager. “This promotion could not be more deserving.”

Mr. Knara, who has been with the company for 17 years, has nearly 30 years total of manufacturing experience. His new role at MFI will allow Mr. Knara to bring his expansive knowledge of metal fabrication theory and procedure as well as mechanical troubleshooting to the production floor.

“I am both honored and thrilled to be able to continue my work at MFI in this new role, and am excited to help bring the company to the next level,” commented Mr. Knara.

MFI has extensive history and experience in sub-contract manufacturing work, specializing in the aerospace, paper, food and beverage, medical, and specialty equipment industries. Their capabilities range from custom fabrication work, prototyping, and custom design to waterjet cutting, CNC bending, welding, and more.

Top 5 Human Errors That Could Risk A Data Breach

June 3, 2021 at 5:06 pm by Amanda Canale

We’re all human. We all make mistakes. It’s inevitable! Unfortunately, there are times when our mistakes have consequences. Sometimes those consequences are small and sometimes…they’re not as easy to sweep under the rug. In this blog, we break down the top 5 ways human error can lead to a potential data breach.

Weak Passwords

According to a 2020 study by Verizon Data Breach Investigations, approximately 81% of all data breaches are caused by cybercriminals easily hacking accounts that are so-called “protected” by weak passwords. By not adhering to password guidelines, failing to offer password training to your team, and not implementing multi-factor authentication procedures, businesses continue to put their cybersecurity at risk.

With that being said, what exactly constitutes as a weak password? Weak passwords are any sort of phrase or term that is common, short, or something predictable such as the owner’s name, birthday, or the literal word, “password.” Instead, use a longer password made up of a mix of upper and lowercase letters, numbers, and symbols to help keep your password and data safe. Essentially, the more complex the password, the harder it is for cybercriminals to hack your information.

data-theft

Lack of Cybersecurity Knowledge

In the modern digital age, the world of cybersecurity has only become more intricate and advanced. Bad news? Most of us need to step up our game when it comes to protecting our data. Good news? You don’t have to be an IT wizard to do so!

Here are just a few minor ways to help combat a lack of cybersecurity knowledge:

  • Do not use public Wi-Fi without a VPN when accessing sensitive data such as bank accounts, work emails, etc. By not using a secure network or VPN, it’s much easier for hackers to get their hands on your information.
  • Interacting with suspicious email links and attachments. Hackers and thieves have only become more creative when it comes to phishing emails. If an email address is a letter or two off or if that email from your boss asking you to purchase gift cards to send them doesn’t necessarily sound like them, it’s always best to either ignore or send to your IT department to investigate.
  • Using insecure devices. Whether it is an external hard drive or USB stick, be wary of using just any random external device that could potentially be carrying malicious code designed to steal your information.

Mishandling of Data When Transporting

In May 2006, the U.S. Department of Veteran Affairs announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII). The breach was found to be caused by a Veteran Affairs data analyst who had taken computer equipment home that contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.

Another example of insecure transportation is the 2011 breach of military health program TRICARE. The breach occurred when a TRICARE employee was tasked with transporting devices carrying the healthcare information of 4.9 million subscribers to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized.

While we’re sure neither one of the employees mentioned above had intended to have their home and vehicle burglarized, unfortunately, that is a risk we all face. It’s the unpredictability of others that we must keep in mind when transporting physical media. To read more about the importance of storing physical media that is awaiting destruction, read one of our previous blogs.

data-privacy-day

Using Outdated/Unauthorized Software

Rule of thumb: combat cybercriminal efforts by making sure your software is always up to date and is reputable. It is far too easy for cybercriminals to compromise sensitive data when your software is not up to date. Check with your business’s IT department to make sure you are not ignoring any updates or downloading unauthorized software. It’s also important to note that one should never disable their software’s security features, especially if it is on a work-issued computer or laptop. Your online shopping can wait until you are in the safety of your own protected network and home.

Third-Party Vendors

As we’ve stated in previous blogs, by introducing third party data sanitization vendors into your end-of-life destruction procedure, you significantly increase the chain of custody, and subsequently face a far higher risk of data breaches. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties!

We understand that while there are reputable data sanitization vendors out there, it can be far too easy for ITAD (IT asset disposition) vendors to misuse, mishandle, and misplace drives when in transportation, during destruction, and disposal. (Remember when financial institution Morgan Stanley announced that an ITAD vendor had misplaced computer equipment storing customers’ personally identifiable information?)

At SEM, we suggest getting rid of ITADs altogether if they are part of your end-of-life destruction procedure simply because of how unpredictable they can be, and the potentially catastrophic consequences should a breach occur.

A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.

Following all these tips can help protect your most sensitive information. As always, it is important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of various high-quality NSA listed/CUI and unclassified degaussers, IT crushers, and enterprise IT shredders to meet any regulation when the time comes to destroy your end-of-life data. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your personal or regulated destruction needs.

HAMR vs. MAMR: What’s the Difference?

May 14, 2021 at 5:59 pm by Amanda Canale

Before we get into the nitty gritty differences between HAMR and MAMR and what they are, we want to give a quick refresher on hard disk drives (HDDs) and solid state drives (SSDs).

HDDs

Hard disk drives (HDDs) are a type of data storage device that use rotating disks, platters, and magnetic material to store and retrieve data. HDDs also contain actuator arms that read and write data while the rotational platters spin. While HDDs are cheaper and can store more data than their counterpart the SSD, they are slower and susceptible to data loss when interacting with magnets due to their internal magnetic material.

When it comes to destroying end-of-life HDDs, SEM always suggests best practices per the National Security Agency (NSA). Depending on the information stored on HDDs, they should always be destroyed either by shredding or crushing; however, if a drive contains classified information, degaussing prior to destroying the drive is required. Degaussing is the process by which a drive’s magnetic field is essentially scrambled, making the data and drive completely inoperable. Once degaussed, the drive should then be crushed or shredded by an NSA approved crusher or shredder. Combined, this is by far the most secure method of data sanitization for HDDs.

HDD-degauss

SSDs

Solid state drives (SSDs) are another type of data storage device that store data using integrated circuits. Unlike HDDs, SSDs do not include an actuator head and instead store information into cells that can be retrieved instantaneously. SSDs are also quite faster than HDDs, causing computers to run much more quickly. The downside? SSDs store less data per drive and can be significantly more expensive.

Since SSDs do not contain magnets, they cannot be degaussed. Therefore, they must be destroyed by a machine that is SSD-specific given the necessary final particle size. The final particle size is crucial to ensuring that none of your SSDs’ information is left behind. Since SSDs do not contain rotational platters, any small chip that is not destroyed can potentially contain proprietary information and get into the wrong hands. The NSA requires that end-of-life SSDs containing classified information be destroyed to a final particle size of 2mm or less. Drives containing other kinds of information can be destroyed in an SSD disintegrator, shredder, or crusher.

Now let’s get to it! Technical lingo aside, the two main techniques used to increase a hard disk drive’s capacity are adding more platters to the drive in order to increase its density, or adding more bits (or pieces of data) on a disk. Heat-assisted magnetic recording (HAMR) and microwave-assisted magnetic recording (MAMR) are just two steps in the evolutionary trajectory of data storage management.

HAMR

Since the media must be heated as data is being written, heat-assisted magnetic recording (HAMR) uses laser-powered heat to the drive’s grains, reducing the drive’s magnetic hardness. This process allows the drive to flip its magnetic polarity, and therefore bit value, through the temperature changes. This method uses recording material that is less prone to thermal instability, leading to smaller recording bits in HDDs, and greater stability and reliability of media.

MAMR

Microwave-assisted magnetic recording (MAMR) uses a different technique to essentially accomplish the same goal. Instead of laser-powered heat, MAMR uses 20-40 GHz frequencies to bombard the HDDs disk platter with circular microwave fields. During this method, the drive’s actuator head uses a spin-torque oscillator that creates an electromagnetic field near the write pole at a lower magnetic field that enables denser and more reliable drives. Unlike HAMR, MAMR can flip the domain’s magnetic polarity much more easily.

While both methods serve essentially the same purpose of lowering magnetic hardness to increase storage capacity, some experts cannot seem to agree which is more sustainable. While MAMR technology is expected to increase an HDD’s capacity from 4 TBpsi to approximately 40 TB, HAMR can only increase its capacity from 2 TBpsi to between 20 and 40 TB. HAMR supporters claim that the laser technology allows drives to spin for much longer and with fewer issues, whereas MAMR supporters claim that high heat actually causes a drive to burnout faster.

It is important to note that HAMR drives cannot be degaussed at this point. Conversely, MAMR drives CAN be degaussed; that said, a question remains on the required gauss level to fully sanitize MAMR drives. Existing degausser technology is such that residual data remains on degaussed MAMR drives even when using a 20,000 gauss NSA listed degausser. It is therefore accepted within the industry that existing NSA listed degaussers will be insufficient to sanitize HAMR and MAMR drives and that these drives will need to be either disintegrated to 2mm or incinerated at end-of-life.

What Documents Should You Shred After Filing Your Taxes?

April 26, 2021 at 6:16 pm by Amanda Canale

Ah, tax season. A time to reflect and reevaluate on the past year’s finances, and a wonderful excuse for some major spring cleaning!

In this blog, we’ll break down all of the documents you can say, “bye-bye” to and the ones you may want to keep around for a bit longer. It’s important to note that this is simply a condensed breakdown, but more information on record retention policies (RRP) can be found in our blog, Records Retention Schedules: When Will Your Data Expire?

Bye-Bye Junk!

  • ATM and deposit receipts: These can be shredded once they are compared against your monthly statement.
  • Credit card bills: Once your bill has been paid, shred away!
  • Utility bills: Keeping utility bills once they are paid is not always necessary. However, it is recommended to save all of your utility bills for one year if you are claiming a home office deduction.
  • Pay stubs: Pay stubs should be saved for one year but once your taxes are filed, they are ready for the shredder.
  • Insurance policies: Once your policy is renewed (either with the same insurance company or a different one), feel free to feed it to your shredder.
  • Receipts: No need to pile up your desk or filing cabinet with every UberEats and Postmates receipt from the past year. It is only necessary to keep receipts from bigger purchases or items that will be deducted.
  • Monthly bank statements: Your monthly bank statements should be saved for one full year and then shredded after you receive your annual statement.
  • Monthly investment statements: All annual statements and the most recent monthly statement should be kept on file; however, feel free to shred the rest!

sell-sheets

Documents for Next Tax Season

  • Income: Whether your income comes from wages, interest, or other business, any W-2, 1099, or K-1 forms, and bank and brokerage statements should be kept leading up to your next tax return.
  • Deductions and credits: Any receipts pertaining to childcare, medical and dental expenses, using your home as your business, alimony, or charitable donations should be kept leading up to your next tax return. In addition, any receipts or invoices, cancelled checks, and bank or credit card statements.
  • Home and property documents: Whether they are closing statements, proof of payments, insurance records, or home and property renovation receipts, these types of documents should all be kept for a year leading up to tax season.
  • Investments: Any and all 1099 and 2439 forms, brokerage statements, and mutual fund statements should also be kept prior to filing your taxes.

With all of this being said, it is important to mention that there are some financial documents that should be kept for a specific amount of time after you file your taxes. The Internal Revenue Service (IRS) has three years to assess additional tax and audit returns, meaning it would be a smart move to keep any documentation to support your recent claim should be kept on file.

Shred Away!

Now is the fun part: shredding time! While there are various ways to destroy a paper document (as detailed in our recent blog, How NOT to Destroy Paper Documents), we at SEM know it to be best practice to use a high security paper shredder (no, big box store shredders won’t cut it — pun intended!) when destroying all of your end-of-life paper documents. By adopting a secure shredder policy, you can be sure your financial information does not get into the wrong hands. We suggest the SEM Model 1324P deskside shredder for all of your at-home shredding needs. This device offers a DIN 66399 P-4 particle.

P-7, shown above, is the standard for the destruction of classified material on paper

At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

SEM Introduces Two Solid State Media Crushers for Commercial Data Center Market

April 13, 2021 at 8:15 am by Amanda Canale

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to introduce two new shredder models: the SEM Model 0205NANO and the SEM Model 0205MICRO. These two unique devices are specifically designed for the destruction of solid state media, including small chips; the 0205NANO crushes the smallest of solid state media while the 0205MICRO is equipped to crush other larger solid state material.  Designed and manufactured at SEM’s Westborough, MA headquarters, both devices are TAA compliant and meet NIST 800-88 regulations.

“These are both exciting new additions to our line of destruction devices for data centers,” commented Nicholas Cakounes, SEM CTO. “The 0205 line fills what has been a very real industry need for solid state destruction devices designed specifically to destroy microchips.”

The Model 0205NANO is a mobile crusher designed to destroy the smallest forms of solid state media and microchips. The first of its kind, this revolutionary device destroys Compact Flash Type 1, SD Cards, SIM chips, SOIC-8, PLCC-32, SOIC-16, and TSOP48. Once the end-of-life data has been inserted into the device, it is crushed beyond recovery by the specially crafted and designed internal rotors, even the tiniest chips.

Similarly, the SEM Model 0205MICRO is constructed with custom-engineered solid steel rotors, an LCD touch screen interface, and portability. The 0205MICRO is a low volume, solid state crusher that crushes a wide array of various solid state media, including SSDs, thumb drives, flash and optical media, cell phones, and more.

“These revolutionary devices are the perfect additions to the commercial market, particularly data centers, when it comes to end-of-life data destruction,” said Ben Figueroa, SEM Strategic Account Manager. “The 0205NANO and 0205MICRO are two state-of-the-art, compact, clean, and portable devices that make them ideal for safeguarding sensitive information stored on microchips.”

For more information on the Model 0205NANO, visit https://www.semshred.com/product/model-0205nano/. For more information on the Model 0205MICRO, visit https://www.semshred.com/product/model-0205micro/.

 

How NOT to Destroy Paper Documents

April 5, 2021 at 1:13 pm by Amanda Canale

In the age of Big Media, it’s easy for some to say, “Paper is dead! Everything is digital now!” Well, not quite. Even as we get further and further into the digital age, not everyone (or everything) has gone paperless. While the majority of our information and data has gone digital, there are very literal paper trails linking our identities to our private information. From medical records and birth certificates to mailed credit card offers and business contracts, there is a plethora of paper documents out in the world that hold some of our most private and confidential information. It is this reason in particular why we at SEM stress that any end-of-life paper documents containing sensitive or confidential information should be destroyed securely. Join us as we break down some of the methods that should be avoided.

Cutting and/or Shredding by Hand

As satisfying as ripping up physical spam mail can be, making it your primary shredding method is not recommended. While this method may be enough for mail or documents not containing private, confidential, or personally identifying information (PII), it will not ensure that the information cannot be pieced back together. Unfortunately, when media or data of any nature is not destroyed with high security end-of-life destruction equipment, there is always a risk that some of the data may be recovered. Take for instance the DARPA Shredder Challenge where people competed to reassemble shred particles, or our previous blog, A History of Data Destruction.

Shredded paper with text.

Recycling and/or Throwing Away

While we support the green initiative in wanting to recycle your end-of-life confidential paper documents, unfortunately this cannot always be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not transported securely, making it easy for people to intercept and have access to your most sensitive and confidential information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Given that length of time, anything can happen! It is important to note that after this period, remnants of your information are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will unfortunately only put your data at more risk.

nsa-listed-paper-shredder

It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying paper documents, it is best practice to use a paper shredder. By adopting a shredding policy, companies and organizations can take preventative measures to ensure that end-of-life confidential information does not fall into the wrong hands.

That’s why at SEM, we want you to future proof the destruction of your most sensitive and confidential data with one of our high security paper shredders, the SEM Model 344. The Model 344 offers an even more secure shred size that we like to call P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) This compact, portable, energy saving option is listed on the NSA/CSS Evaluated Products List and has a throughput of 12 reams of paper per hour when feeding five sheets at a time.

By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

How NOT to Destroy Hard Drives

March 2, 2021 at 8:00 am by Amanda Canale

Since the first days of chat message boards and social media profiles, we’ve all heard the saying, “don’t put all of your information online because it never truly goes away.” The same can be said for end-of-life data and information on rotational hard disk drives (HDDs): once information is on there, it’s sometimes near to impossible to fully remove. Aside from implementing a secure, in-house destruction plan, there are many other methods we do not recommend using. Let’s break some of those down.

Recycling and/or Throwing Away

While we support the green initiative in trying to recycle your end-of-life drives, unfortunately, this cannot be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are gold mines for hackers and thieves. On top of that, recycling and waste is not transported securely, making it easy for people to intercept and have access to your most sensitive information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Anything can happen within that length of time! After this period, remnants of your information or data are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will only put your data at more risk.

Deleting and/or Overwriting

One of the more common (and misleading) data destruction misconceptions is that erasing or overwriting the information of an end-of-life drive and degaussing are synonymous with one another. While methods such as cryptographic erasure and data erasure would allow the drive to be used again, it is not a secure and foolproof destruction. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten.


Burning

Burning a hard drive, whether with a blow torch or roasting it on a stick, is highly discouraged. Not only would this require protective gear and holding platters at a safe distance with a heat resistant tool, but burning hard drives will also lead to harmful fumes to be released into the air in the process.

Unfortunately, just because a drive experiences physical damage, it does not mean that the information has taken the same hit. Take for instance the 2003 explosion of the Columbia space shuttle. As the spacecraft made its way into the atmosphere, a piece of the insulation foam had detached, causing it to become enflamed and combust. The horrific disaster resulted in the loss of everyone aboard as the shuttle disintegrated on its way back to Earth.

Just about six months later, a rotational hard drive that was aboard the Columbia was found in a riverbed. It was discovered that the drive had not only survived the initial explosion, but it also survived a 40-mile fall while on fire at terminal velocity and staying in a muddy riverbed for six months. The most interesting part? Even after surviving all of that, it was discovered that 99% of the data that resided on the drive was recovered. It’s safe to say that burning a hard drive is not only harmful to you and the environment but is a tactic that simply won’t work. We suggest sticking to roasting just marshmallows over future fires.

Photo of recovered Columbia space shuttle hard drive


ITAD

ITADs, or information technology asset disposition companies, are third-party vendors that sanitize and destroy end-of-life data and drives. While the appeal of these types of companies can be quite convincing, we at SEM do not recommend utilizing these types of companies when getting rid of your end-of-life data. While there are some reputable ITAD and data sanitization companies out there, the risk may not be worth the convenience. Security risks can be unpredictable and potentially catastrophic as it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, destruction, or disposal. It has also been reported that some vendors sell end-of-life devices and their sensitive information to online third parties.

During the summer of 2020, financial institution Morgan Stanley came under fire for an alleged data breach of their clients’ financial information after an ITAD vendor misplaced a number of drives that were storing personally identifiable information (PII). Instead, we suggest purchasing one of our NSA listed devices, keeping the chain of custody within the company, and conducting all destruction in-house.

data-theft
Other (Un)Worthy Methods

  • Submerging the HDD in acid
  • Using a drive as target practice
  • Running over HDDs with your car
  • Giving HDDs a bubble bath
  • Physical destruction with a blunt object
  • Attaching industrial-strength magnets

Regardless of the catalyst for end-of-life drive destruction, it is always best practice to conduct destruction and degaussing in-house. While degaussing is not possible for the destruction of end-of-life data on solid state drives (SSDs), SEM recommends always following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to destruction. Solid state drives (SSDs) and optical media cannot be degaussed, so crushing and/or shredding is recommended.

By first degaussing then physically destroying HDDs, companies are choosing the most secure method of data destruction per NSA guidelines as this is the only way to be certain that the end-of-life data has been properly destroyed. When magnetic media is degaussed, our devices use powerful magnetic fields to sanitize the magnetic tapes and drive, wiping all sensitive information from the device. This act renders the drive completely inoperable, which should always be the end goal. Once the device has been degaussed, it should be physically destroyed. The combination of degaussing and physical destruction for HDDs is without a doubt the most secure method of ensuring your end-of-life data stays at the end of its life.

It is also important to remember that a data breach is a data breach, no matter the level of impact. While not all degaussing machines are adequate to demagnetize all rotational hard disk drives, at SEM we have an array of various high security NSA listed/CUI and unclassified magnetic media degaussers to meet any need and regulation.

Most Notorious Data Breaches

February 26, 2021 at 8:00 am by Amanda Canale

From January to June 2019, it was reported that there were approximately 4,000 publicly disclosed data breaches, all of which had resulted in close to 4.1 billion compromised records. (That is half of the amount of people living on Earth!) In 2020, the rate of data breaches had decreased slightly, but studies show that there is no sign of them slowing down. While data breach tactics are constantly evolving, there are a multitude of ways a company or individual can prevent their most sensitive and confidential information from being stolen.

We’ve broken down some of the more infamous data breachers below and included best practices to ensure that your data stays protected.

U.S. Department of Veteran Affairs

In May 2006, the U.S. Department of Veteran Affairs found themselves in the midst of some hot water when they publicly announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII), such as disability ratings.

The breach was caused by a Veteran Affairs data analyst who had taken a laptop and external hard drive home from the office that had contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.

While the department stated that there was no evidence to prove that the stolen information had been used illegally, unfortunately, that is not a risk one should be willing to take. It’s important to note that there is no statute of limitations on data breaches; just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore, it is always safer to leave that sort of information at the office or to have a secure system in place if that information needs to be accessed remotely.

Exactis

Marketing and data aggregation firm Exactis suffered a major breach in 2018 when a database containing sensitive information on 340 million individuals was accidentally released to a publicly accessible server. The stolen data totaled out to about 2TB worth of information on not only American individuals but businesses as well. (Remember: one-tenth of the Library of Congress can fit on a 1TB drive. Now double that!)

This breach, luckily, did not contain individuals’ credit card information or Social Security number, but it did contain names, email addresses, phone numbers, and even the ages and genders of a person’s children. This aspect of the breach is especially important to mention because even with a lack of financial or sensitive information, the information that was stolen can carry just as many negative consequences as it is all personally identifiable.

Having secured workspaces, servers, and data security protocols in place is just as vital to preventing a data breach as an in-house data destruction plan.

SOX data destruction

TRICARE

In 2011, military health program TRICARE announced that several of their computer tapes were stolen. The tapes in question were backup tapes of a military electronic health-record system that was in use from 1992 to 2011 and reportedly held the personal health information (PHI) of approximately 4.9 million subscribers.

The breach occurred when a TRICARE employee was tasked with transporting the tapes to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized. While no financial information was held on the tapes, information pertaining to Social Security numbers, addresses and contact information, and even personal health data such as clinical notes, prescriptions, and laboratory tests were among the data stored.

While the military insurance carrier deemed the breach as a low risk to the affected individuals, only some of the information had been encrypted, meaning that most of the information would be fairly easy to pull and use for illegal purposes.

data-security

A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason in particular why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.

Whether the company is a small business, government agency, or health insurance carrier, all information and data should be locked up in a secure location, regardless of its end-of-life status. By leaving drives, whether encrypted or not, in unlocked office desk drawers, easily accessible boxes, or even in your personal vehicle and home, they are left vulnerable to hackers and thieves, and carelessness. We have more information on how to properly store your end-of-life data while awaiting destruction in this blog post.

When it comes to the destruction of data, it is always best practice to have an in-house destruction plan in place. At SEM, we have an array of various high-quality, high security NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.