• United States



by Dave Gradijan

Companies Are Selling Your Personal Data—By Accident

Aug 11, 20062 mins
CSO and CISOData and Information Security

Organizations are inadvertently exposing sensitive information through the sale of used hard drives, despite increased security awareness, according to a new report.

The research found some businesses fail to wipe private employee information, accounting details and sensitive IP data from drives before they are sold.

The report, a second-year joint project by the University of Glamorgan in Wales, Edith Cowan University and vendor BT, collected data from 300 drives obtained from IT auctions, computer fairs and online across Australia, the United States and Germany.

University of Glamorgan research leader Andrew Blyth said the results show hard drives containing sensitive data are still being sold.

“Just from looking at this random sample, it is obvious that there are hard drives on public sale that still contain highly confidential material,” Blyth said. “This research proves that companies and individuals still need to take this issue of the disposal of information stored on hard drives more seriously.”

BT head of security technology research Andy Jones said organizations should control information exposure, as legal and ethical responsibilities are well known.

“So much has been said already about the availability of information disposal tools, increasing legislative pressures and the growing literacy of computer users that it is difficult to explain why there is still such poor cleansing of disks,” Jones said.

He said business must adopt and enforce a universal information-disposal policy for the sale of disks.

CSO magazine provides a “how-to” primer on properly disposing data and old computers.

“When organizations dispose of surplus and obsolete computers and hard drives, they must ensure that, whether they are handled by internal resources or through a third-party contractor, adequate procedures are in place to destroy any data and also to check that the procedures that are in place are effective,” Jones said.

Information contained on the drives included payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, and financial details including bank and credit card accounts.

By Darren Pauli, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.