Necessity of a Secure Data Wipe

According to projections from The Radicati Group, in 2021 we will be sending 320,000 million emails per day. An immeasurable amount of data. Companies create much more Big Data than before and at an increasingly rapid rate.

According to New Vantage's 2019 Big Data and Artificial Intelligence Executives Survey, 91.6% of organizations are investing in Big Data and artificial intelligence. They are doing it to ensure their transformation into agile and competitive companies. When we examine these numbers, the scale of the average company's data footprint can be difficult to grasp.

Nowadays, companies not only have to deal with backup copies to tape and hard drives, but there are also mobile devices, memory cards and now, more than ever, virtualized environments. No matter what kind of data a company produces, it is essential to manage it safely and in compliance with regulations, not only during storage and transit, but also at the end of its useful life.

Everyone should understand the importance of erasing their data. Regardless of whether you want to sell a used Smartphone on eBay or have a company legally obligated to destroy sensitive information, implementing secure data destruction practices can save you and your company from difficult situations like a data breach.

Recent examples of data deletion failures

However, some users and companies show a surprising degree of negligence in this regard. A significant privacy breach occurred in Japan in 2019, when 18 hard drives used by the Kanagawa Prefectural Government to store taxpayer data were auctioned online, rather than destroyed. The hard drives had to be safely destroyed and were instead sold by an employee of a Tokyo recycling company. The total data of the devices sold reached 27 terabytes and contained the names, addresses and records of tax payments of taxpayers. After buying 9 of the hard drives on the Internet, a user contacted the prefectural government to alert about the situation.

In the same year, during a study commissioned by Ontrack in partnership with Data Wiping specialist Blancco, 159 used discs purchased from eBay were analyzed. The results were overwhelming. Residual sensitive data was found in 42% of the units, and 15% of them contained personally identifiable information, such as passport information, birth certificates, university documentation, financial records and photos.

What is the difference between Data Deletion and Data Wiping?

Data Deletion and Data Wiping may look similar, but should not be confused. Deleting data leaves data recoverable, while deleting data is permanent. This is especially important for companies as confusing these terms can lead to significant problems under the terms of the EU GDPR.

There is a lot of confusion surrounding the definition of Data Wiping. Most of the problem stems from the various methods available to achieve this, for example, factory reset, formatting and data deletion are some of the methods that are not capable of achieving data sanitization. Despite this, the vast majority of organizations believe that these are the appropriate methods. This causes organizations to generate vulnerabilities to potential data breaches in their own security.

Without adequate data disposal methods, no organization can guarantee the protection of sensitive customer information.

What makes data destruction safe?

As the examples above demonstrate, failing to make the effort to securely erase your data can lead to catastrophic results. Considering that this is an age of increasingly intelligent interconnected technology, it is worth remembering that every byte of electronic information exists in physical form. Regardless of how it appears on the screen, somewhere there is a memory chip or a hard drive board ready to be boarded.

Therefore, both the company and users must keep track of data assets that have reached the end of their useful life, and then destroy them on the site. This may not sound too complex, since anyone with a rudimentary knowledge of technology can know, at least in theory, if not in practice, the concepts of disk formatting or factory reset. If this doesn't happen, they might consider throwing an old laptop in the trash, before risking its unauthorized reuse.

Unfortunately, safe data disposal is not that simple. None of the above methods guarantee that the information stored on those devices is not recoverable; in fact it may only take minutes to recover it with a free data recovery software package.

What's wrong with formatting the hard drive?

A common belief regarding formatting the hard drive is that it completely erases the device. This is not true, as most of the time a format leaves almost all the data intact. Its purpose is to dismantle the existing file system, if one exists, and generate a new one, not to securely and permanently delete sensitive information. The operating system may not be able to read it as usual, but it is still there.

If we make a simple analogy, we can think of a hard drive as a giant library in which the books represent individual files. A quick format is the equivalent of destroying the library catalog. The library may be difficult to navigate without the catalog, but the books are still there. Regarding the retrieval of that information, it requires very little technical knowledge. Anyone can do it with software tools like Ontrack EasyRecovery.

And a factory reset of a mobile device?

Although the process may seem different, performing a factory reset on a Smartphone or any other device with flash memory is the same as formatting a conventional disk, the contents of the chip remain exactly where they were, invisible to the operating system, but nevertheless recoverable.

An Avast study shows the dimensions of the problem. The company purchased 20 used smartphones, with factory reset, from pawn shops around the world. Using existing data recovery software, the company recovered 2,000 personal photos, emails, text messages, bills, and an adult video.

Disturbing studies such as the one mentioned show that as the use of mobile devices increases in the business world, companies must move their secure data destruction practices beyond hard drives and files on tape.

Does physical destruction of devices responsible for Data Wiping?

You've probably seen movies where the characters try to destroy incriminating evidence. They smash a hard drive with a hammer or smash a computer with an ax. It may sound impressive, but destroying the hardware does not guarantee that the data will be irretrievable.

Data can still be recovered from a physically damaged storage device. A recent video from Ontrack amply demonstrates this. Let's think of a steamroller against a Smartphone!

Although it appears to be a failsafe and last resort method, piercing a hard drive with a drill does not guarantee that sensitive information will remain unrecoverable.