Necessity of a Secure Data Wipe
According
to projections from The Radicati Group, in 2021 we will be sending
320,000 million emails per day. An immeasurable amount of data. Companies
create much more Big Data than before and at an increasingly rapid rate.
According
to New Vantage's 2019 Big Data and Artificial Intelligence Executives Survey,
91.6% of organizations are investing in Big Data and artificial intelligence. They
are doing it to ensure their transformation into agile and competitive
companies. When we examine these numbers, the scale of the average
company's data footprint can be difficult to grasp.
Nowadays,
companies not only have to deal with backup copies to tape and
hard drives, but there are also mobile devices, memory cards and now, more than
ever, virtualized environments. No matter what kind of data a company
produces, it is essential to manage it safely and in compliance with
regulations, not only during storage and transit, but also at the end of its
useful life.
Everyone
should understand the importance of erasing their data. Regardless of
whether you want to sell a used Smartphone on eBay or have a company legally
obligated to destroy sensitive information, implementing secure data
destruction practices can save you and your company from difficult situations
like a data breach.
Recent examples of
data deletion failures
However,
some users and companies show a surprising degree of negligence in this regard. A
significant privacy breach occurred in Japan in 2019, when 18 hard drives used
by the Kanagawa Prefectural Government to store taxpayer data were auctioned
online, rather than destroyed. The hard drives had to be safely destroyed
and were instead sold by an employee of a Tokyo recycling company. The
total data of the devices sold reached 27 terabytes and contained the names,
addresses and records of tax payments of taxpayers. After buying 9 of the
hard drives on the Internet, a user contacted the prefectural government to
alert about the situation.
In
the same year, during a study commissioned by Ontrack in
partnership with Data Wiping
specialist Blancco, 159 used discs purchased from eBay were analyzed. The
results were overwhelming. Residual sensitive data was found in 42% of the
units, and 15% of them contained personally identifiable information, such as
passport information, birth certificates, university documentation, financial
records and photos.
What is the difference between
Data Deletion and Data Wiping?
Data
Deletion and Data Wiping
may look similar, but should not be confused. Deleting data leaves data
recoverable, while deleting data is permanent. This is especially
important for companies as confusing these terms can lead to significant
problems under the terms of the EU GDPR.
There
is a lot of confusion surrounding the definition of Data Wiping. Most of
the problem stems from the various methods available to achieve this, for
example, factory reset, formatting and data deletion are some of the methods
that are not capable of achieving data sanitization. Despite this, the
vast majority of organizations believe that these are the appropriate methods. This
causes organizations to generate vulnerabilities to potential data breaches in
their own security.
Without
adequate data disposal methods, no organization can guarantee the protection of
sensitive customer information.
What makes data
destruction safe?
As
the examples above demonstrate, failing to make the effort to securely erase
your data can lead to catastrophic results. Considering that this is an
age of increasingly intelligent interconnected technology, it is worth
remembering that every byte of electronic information exists in physical form. Regardless
of how it appears on the screen, somewhere there is a memory chip or a hard
drive board ready to be boarded.
Therefore,
both the company and users must keep track of data assets that have reached the
end of their useful life, and then destroy them on the site. This may not
sound too complex, since anyone with a rudimentary knowledge of technology can
know, at least in theory, if not in practice, the concepts of disk formatting
or factory reset. If this doesn't happen, they might consider throwing an
old laptop in the trash, before risking its unauthorized reuse.
Unfortunately,
safe data disposal is not that simple. None of the above methods guarantee
that the information stored on those devices is not recoverable; in fact it may
only take minutes to recover it with a free data recovery software
package.
What's wrong with
formatting the hard drive?
A
common belief regarding formatting the hard drive is that it completely erases
the device. This is not true, as most of the time a format leaves almost
all the data intact. Its purpose is to dismantle the existing file system,
if one exists, and generate a new one, not to securely and permanently delete
sensitive information. The operating system may not be able to read it as
usual, but it is still there.
If
we make a simple analogy, we can think of a hard drive as a giant library in
which the books represent individual files. A quick format is the
equivalent of destroying the library catalog. The library may be difficult
to navigate without the catalog, but the books are still there. Regarding
the retrieval of that information, it requires very little technical knowledge. Anyone
can do it with software tools like Ontrack EasyRecovery.
And a factory
reset of a mobile device?
Although
the process may seem different, performing a factory reset on a Smartphone or
any other device with flash memory is the same as formatting a conventional
disk, the contents of the chip remain exactly where they were, invisible to the
operating system, but nevertheless recoverable.
An Avast study shows
the dimensions of the problem. The company purchased 20 used smartphones,
with factory reset, from pawn shops around the world. Using existing data
recovery software, the company recovered 2,000 personal photos, emails, text
messages, bills, and an adult video.
Disturbing
studies such as the one mentioned show that as the use of mobile devices
increases in the business world, companies must move their secure data
destruction practices beyond hard drives and files on
tape.
Does physical
destruction of devices responsible for Data Wiping?
You've
probably seen movies where the characters try to destroy incriminating
evidence. They smash a hard drive with a hammer or smash a computer with
an ax. It may sound impressive, but destroying the hardware does not
guarantee that the data will be irretrievable.
Data
can still be recovered from a physically damaged storage device. A recent
video from Ontrack amply demonstrates this. Let's think of
a steamroller against a Smartphone!
Although
it appears to be a failsafe and last resort method, piercing a hard drive with
a drill does not guarantee that sensitive information will remain
unrecoverable.