Where’s Your Data?

According to a story in IT World, a group of reporters doing research for the PBS show, Frontline, has acquired a hard drive in a market in Ghana that contains a large amount of confidential data pertaining to US government contracts with Northrop-Grumman.  The group was on assignment investigating the global business of disposing of electronic waste.  The information, which was not encrypted, was contained on a used hard-disk drive that the researchers bought for the equivalent of $40.

The drive had belonged to a Fairfax, Virginia, employee who still works for the company and contained “hundreds and hundreds of documents about government contracts,” said Peter Klein, an associate professor with the University of British Columbia, who led the investigation for the Public Broadcasting Service show Frontline. He would not disclose details of the documents, but he said that they were marked “competitive sensitive” and covered company contracts with the Defense Intelligence Agency, the National Aeronautics and Space Administration and the Transportation Security Agency.

According to the company, the disk drive came from an old computer that had been delivered to an outside waste management firm for disposal, a fairly common arrangement for dealing with old hardware.  (Old electronic devices are problematic to dispose of, because they often contain toxic materials, such as lead, cadmium, or mercury, in addition to possibly containing sensitive data.)  They say their records indicate that the drive must have been stolen from the disposal contractor after it left Northrop-Grumman.

The improper disposal of devices containing sensitive information is a widespread problem.  In the present case, it has an element of irony:

Some of the documents talked about how to recruit airport screeners and several of them even covered data security practices, Klein said. “It was a wonderful, ironic twist,” Klein said. “Here were these contracts being awarded based on their ability to keep the data safe.”

One of the reasons third-party disposal is a popular option is that it is relatively cheap, in part because much of the stuff gets shipped to other countries, which have considerably less  stringent environmental regulations than the US.   There the equipment is disassembled for parts, precious metals, and so on:

According to Klein, it’s common for old computers and electronic devices to be improperly dumped in developing countries such as Ghana and China, where locals scavenge the material for components, often under horrific working conditions.

Of course, potential data thieves can make use of them, too.  It is hard to blame the governments of these poorer countries for not protecting first-world consumers from the consequences of their own carelessness.

If you are interested in, or responsible for, keeping sensitive data secure, I suggest first that all such data on portable devices (e.g., laptops, flash drives, smart phones) be encrypted.  When you have equipment to dispose of, do not depend on “disk wiping” software to erase all the data.  It is actually very hard to do that well enough so that there is no way to recover any of the information.  (For example, the software may not completely wipe disk blocks that are marked as defective.)  These programs are fine for keeping your pesky kid brother from reading your files from an old disk, but if you need to be sure, physical destruction of the media is the only really safe option.