The Dangers Of Inadequate Data Disposal

Uploaded on 2022-10-19 in FREE TO VIEW, BUSINESS-Services-Consulting

Leading professional services firm Alvarez & Marsal  (A&M) has released findings by its Disputes & Investigation practice regarding in-depth forensic analysis conducted across six used devices purchased on an online marketplace. 

The project’s aim was to expose the dangers of inadequate data disposal in business and private settings and demonstrate how failure to properly dispose of redundant IT equipment can lead to data breaches, which not only violate data protection laws, but can also result in financial fraud, with devastating impacts on companies’ finances and reputation.

The analysis found sensitive and highly personal data had not been deleted from old devices.

  • Thousands of sensitive documents recovered from the laptops purchased online which their owners believed to have been ‘wiped’.
  • Personal data found across 80% of devices searched.
  • 366 files recovered contained business-related keywords.

A&M was able to recover 5,875 user-generated documents across the six devices. The majority of those items came from carved data (i.e., deleted data on the hard drives of the laptops), with a few documents still sitting on the hard drives, undeleted. 

Most of the data recovered by the A&M team contained highly personal and sensitive information; such as scans of valid passports, as well as various appraisal forms and job application forms detailing personal identifiable details including full names, National Insurance numbers, addresses, emails, date of births and other sensitive data. 

In addition, 366 files analysed on the devices by the A&M team included business-related keywords.  Graeme Buller, Director at A&M, explained: “The rise of bring-your-own-device (BYOD) and remote working are increasingly blurring the lines between personal and business use of devices, exacerbating concerns around data security and the lifecycle management of IT assets... While only 6% of the files recovered in our analysis contained business-related information, the very fact that they made their way onto these personal devices is sincerely worrying. If released into the wrong hands, even what appears to be small, harmless data can have devastating impact on a company.”

Other insights from the document recovery included:

  • 155 documents had references to the term “invoice”.
  • 100 documents had references to the term “court”.
  • 84 files recovered contained the keyword “report”.
  • 23 files recovered mentioned the word “appraisal”.
  • Images were found that consisted of workplace building ID cards, salaries of employees, invoices, and other internal business correspondence.
  • Of the 5,875 documents which were retrieved from the PCs, 366 files included work-related keywords and 4% contained residual data that had been improperly deleted.
  • Web-related items accounted for 16% of overall data.
  • 2,111 email items were found.

Much of the that data A&M captured was done using software that is widely available to anyone and highlights how vulnerable many office devices really are - even when they are believed to be ‘clean’.  

The key here is making sure all devices are wiped correctly and observe a rigorous data disposal management process and A&M recommend these 5 best practice tips when managing data disposal:

1.  Strongly enforce data security policies:   To prevent sensitive data from being transmitted outside of secure environments at the first place, company emails and documents should ideally be kept in a secure location and never saved locally to a machine or device.

2. Establish and maintain a secure data destruction policy:   There should be policies and procedures in place that relate to the secure destruction of data. There should be alignment between Legal, Risk, HR and IT departments to ensure consistent flow of information and to provide clarity around roles and responsibilities for those involved this process.

3. Adapt policies for the new business reality:   Data disposal policies must be updated to reflect the current remote working environment. New considerations should include how to ensure devices are handed back when an employee leaves the firm, or how to remotely wipe IT assets if they refuse to return the device or in case of loss/theft/replacement. One alternative is to create incentivised pathways for staff to dispose responsibly.

4. Ensure all data is securely and effectively wiped:   Deletion and formatting – including factory-resets - do not permanently remove the data from the devices. Data sanitisation practices including the use of specialist software should be introduced to ensure all data is properly wiped and cannot be recovered by hackers.

5. Ensure companywide training:   Ensuring all employees get sufficient training around data destruction, and indeed are educated on the correct way to save data, is key. This should be training across the board and regularly updated to remind employees of the correct procedures, especially as tech continues to evolve. 

In the case of GDPR compliance in Britain, unnecessarily holding on to personal data, runs the risk of fines and likelihood of ICO enforcement action if that data is then involved in a privacy breach.

 Buller concludes: “As our study demonstrates, failure to properly dispose of redundant IT equipment may well lead to data breaches which not only violate data protection laws, but can result in financial fraud, with devastating impacts on a company’s finances and reputation.”

Alvaraez & Marsal:

You Might Also Read: 

Police Get New Tools To Process Digital Evidence:

 

« CYRIN Launches New Docker Lab
Russia’s Cyber Strategy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

Apricorn

Apricorn

Apricorn provides hardware-based 256-bit encrypted external storage products to companies and organizations that require high-level protection for their data at rest.

Risk Based Security (RBS)

Risk Based Security (RBS)

Risk Based Security provide the most comprehensive and timely vulnerability intelligence, breach data and risk ratings.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

Communications & Information Technology Regulatory Authority (CITRA)

Communications & Information Technology Regulatory Authority (CITRA)

CITRA is responsible for overseeing the telecommunications sector, monitoring and protecting the interests of users and service providers, and regulating the services of telecomms networks in Kuwait.

Aryaka

Aryaka

Aryaka’s SmartServices offer connectivity, application acceleration, security, cloud networking and insights leveraging global orchestration and provisioning.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.

Presidio Identity

Presidio Identity

Presidio Identity offers a digital-native approach that brings security, privacy, and simplicity to user authentication and digital interactions.

Quantropi

Quantropi

Quantropi is bound to be the standard for quantum-secure data communications – forever unbreakable, no matter what.

Conosco

Conosco

Conosco are industry-leading experts throughout the UK in strategic consulting, project delivery, business communications, support, and security.

Approov

Approov

Approov provides a comprehensive runtime security solution for mobile apps and their APIs, unified across iOS and Android.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infisign

Infisign

Infisign addresses the challenges of traditional IAM systems and offers a comprehensive solution for modern identity management.

CSIRT-Gnd

CSIRT-Gnd

CSIRT-Gnd provides 24x7 Computer Security Incident Response Services to citizens, companies and government agencies in Grenada.

Cyber Guru

Cyber Guru

Cyber Guru is an effective cybersecurity awareness training platform, enabling organisations to increase their resistance to cyber-attacks by changing employee behaviour.