The hard disk destruction process tends to get pushed to the back burner by many businesses. This is especially true in the era of third-party IT services, a time when organizations can find a partner to do just about anything for them. However, there is a simple problem with third-party vendors – they're services are only valuable if a company can fully verify that they have followed through on their process. When it comes to data destruction, it is extremely difficult to adequately document and prove that storage media has been properly destroyed and rendered unrecoverable.
Businesses can easily fall prey to data loss or theft when outsourcing electronics waste management, shipping old computers and storage devices to third-party specialists to destroy, only to later find out they weren't properly deleted and sensitive data has been compromised. This isn't just embarrassing, it also creates significant regulatory and reputation damages, not to mention potential litigation. Because of this, companies must maintain a chain of custody through disk destruction and ensure best practices are followed at every stage of the process.
Failing to take disk destruction seriously has led plenty of businesses to end up in the news, but many haven't learned their lesson. Here's another reminder, in the form of a Channel NewsAsia documentary that recently exposed just how much data can be stolen after a supposedly erased hard drive gets into the wrong hands.
"Companies must maintain a chain of custody through disk destruction."
Learning from a worst-case scenario
A Channel NewsAsia report detailed the recent findings of its documentary, The Trash Trail. When the team behind the show explored some old hard drives from discarded computers. The experiment was simple – the producers purchased nine hard disk drives from a variety of shops selling used electronics. The retailers all told the producers that the disks had been properly erased. One went so far as to claim that the store uses special software to properly clean the disk up if they can't get a user's computer to boot properly for typical reformatting.
The problem with all of this, of course, is that reformatting and similar forms of erasing a hard disk does not render data unreadable, something that was discovered by the show when they brought the hard drives to Associate Professor Biplab Sikdar from the department of Electrical and Computer Engineering at the National University of Singapore. Dr. Sikdar described what he found on the disks to be shocking. The nine hard drives included:
- Personal details, such as passport and banking information.
- Nude photos.
- Medical records.
Two of the hard drives had belonged to a business – a marine engineering firm – but the organization wasn't better than consumers at deleting data. Sikdar told the news source that the data found on those drives could be used by individuals hoping to commit fraud or spy on a rival corporation.
"They make ships. And what surprised me was that I found blueprints for the ships here," Sikdar told Channel NewsAsia. "I would have thought that an industry, when they're disposing of their older laptops, they would be more careful in cleaning up their stuff."
Neglecting hard drive destruction is a common problem
The Channel NewsAsia report highlights just how easily data can be recovered from hard drives that have gone through a software wipe. However, that story isn't brought up to embarrass any businesses or people who have neglected to properly destroy hard drives, but to warn others against similar problems. Misconceptions about hard disk destruction abound, and it is easy to fall prey to misinformation or wrong assumptions. The reality is that most forms of both software deletion and disk physical destruction – such as drilling through a disk – are inadequate for complete data removal.
In a USA Today report detailing how the F.B.I. is using broken hard disks in a criminal case, industry expert John Gunn described just how problematic physical disk destruction can be when it is used as the primary line of defense.
"The forensic techniques available today are remarkably advanced, from recovering ghost images to reading minuscule fragments of disk platters," Gunn told the news source. " Any given file occupies less than .0015 square inches, so even small fragments can be read with advanced equipment. Chemical destruction would get the job done, but it is not very practical."
"Businesses that underestimate the importance of proper hard disk destruction put themselves and their customers at risk."
USA Today proceeded to speak with a variety of experts to discuss disk destruction, with the conversation switching between less practical destruction methods, such as thermite, and more realistic options, such as encryption. The most useful tool, however, is a simple hard disk degausser, which blends ease of use, power and accessibility.
Degaussers as a primary disk destruction tool
Technically speaking, degaussers are a form of physical disk destruction, but they work differently than drilling a hole through a disk, shredding it or pounding it with a hammer. All of those methods leave behind fragments of the disk that are readable and can be used to recover a data. A degausser, on the other hand, uses magnetic force to disrupt the metal platters used in a hard disk and render the data stored utterly unusable.
The concept for degaussers is simple enough, and the technology can be deployed in easy-to-use handheld degaussing wands or with dedicated machines. Either way, organizations can purchase a degausser, maintain chain of custody, destroy data and avoid any sort of problems later down the line.
In most cases, it is still practical and useful to shred a disk after it has been degaussed, but that is done to make it easier to dispose of materials properly, not destroy data. It is also a good idea to perform a software wipe to provide some basic protection prior to degaussing.
Businesses that underestimate the importance of proper hard disk destruction put themselves and their customers at risk. With data loss horror stories abounding in the news, it is time for organizations to take a closer approach at how they maintain a chain of custody and destroy data. At Proton Data Security, we offer the degaussing tools and shredders organizations need to support their hardware decommissioning efforts and keep data safe.