It’s well recognised that businesses have a myriad of data protection requirements to keep up with and that they must take seriously their responsibilities for both customer and organisational data management. When it comes to ITAD (IT Asset Disposition), eventually all data must be entirely removed from the systems on which its stored, with hardware destroyed. But what happens if this isn’t done properly or effectively? We have some real life examples to share of such issues… and those in tech should consider these a warning!
Morgan Stanley fined $35 million for mishandling data center decommission
In 2016, Morgan Stanley decommissioned two of their data centers – a fairly normal occurrence for such a large company with so much IT resource. Hiring a third-party company to handle the project, both data centers were shut down with thousands of devices managed. The organisation failed to ensure the project was properly managed and that the data on the devices (lots of it unencrypted) was kept secure.
The devices were removed from the data center but the data was never removed. Then sold online, thousands of disk drives that still contained customer data were put into the public domain; exposing the personal data of up to an estimated 15 million customers!
Needless to say, when the error was found, Morgan Stanley’s reputation was severely damaged for their lack of proper governance and data security. Customers of the company and other financial institutions alike feared their data being made public, impacting on the trust of the whole industry.
The Securities and Exchange Commission (SEC) ruled in 2022 that Morgan Stanley has vastly mishandled the customer data for which they were responsible – even if there was a third-party company doing it. The SEC highlighted Morgan Stanley’s “extensive failures” internally and provided guidelines for financial institutions on how best to properly retire their EOL (End Of Life) hardware. They fined Morgan Stanley $35 million, although the repercussions far outweighed simply a financial cost.
Health Center exposed personal medical details of over 100,000 patients
In 2021, the HealthReach Community Health Centers in Maine, USA, discovered a breach of patient health data due to improper hard drive disposal.
They too passed on EOL IT hardware to a third-party data storage facility to manage a decommissioning project for them. However, it was determined that an employee at the facility did not process the data held on the drives for removal and it was leaked.
Given the nature of the business, the data on the hard drives was extremely sensitive. Estimated to include health records for up to 117,000 patients, the leak included names, addresses, birth dates, Social Security numbers alongside protected personal health information (PHI).
Indeed perhaps even more damning is that the leak wasn’t even identified by HealthReach themselves. An independent security consultant purchased a number of computers and devices from companies who resell hardware as refurbished. The companies who do so had bought them from other ITAD firms, all of whom claimed to properly destroy data before resale.
With just a few data retrieval tools, only three of the devices purchased were found to be encrypted. Alongside the health data, information including personal identifiers, credit card numbers, and drivers license details were found.
HealthReach continues to work with cybersecurity counsel to determine to how respond to and manage the data breach, and the full impact of it is yet to be realised.
Brighton and Sussex University Hospital has EOL hard drives stolen
The US isn’t the only place that has seen private medical data leaked. In the UK, the NHS fell foul of ill-advised ITAD methods when hard drives commissioned for destruction by Brighton and Sussex University Hospital.
Rather than having the data removed and the hard drives properly disposed of, the hardware was stolen from the company responsible for processing it. The thief then placed the drives for sale on eBay – containing the patient data of thousands of people.
The hospital was fined £325,000 and the ongoing effects of the leak still aren’t certain. However, it’s believed that the incident is partially responsible for NHS bosses choosing to move to a hybrid Cloud service for data storage; negating the need for as much physical asset processing and eventual destruction.
Dutch citizens data exposed after random market purchase
In the Netherlands, an unnamed man purchased several hard drives at a public flea market. When fired up and accessed, he found personal information on Dutch citizens from the Utrecht, Delft and Houten regions; spanning identifying data including citizen service numbers, addresses, birth dates, prescriptions and medical details. Dated across an eight year period from 2011 to 2019, it’s believed that the data must have originated from local authorities records.
The exact origination of this data and the means in which it was leaked has yet to be made public. However, it’s believed that the authorities involved had a policy of reselling hardware when workers left their employment, and that the data hadn’t been properly sanitised before doing so. While the resale of such assets may create extra value, not investing in correct and appropriate levels of data destruction first could have dire consequences.
Which industries are most at risk of improper data destruction?
The exact extent of data misused may never be fully realised, but it should be noted that any business holding any data at all is at potential risk.
The British ICO (Information Commissioner’s Office) record data security trends over time. Their records indicate that so far such incidents have been most prevalent in two industries – healthcare and property services. A Freedom of Information request filed by a tech company also showed that there were considered to be data security concerns at a government level; with recorded incidents of data-rich USB sticks being lost by HM Revenue and Customs. Furthermore, analysis of the IOC’s records show frequent issues with:
- Organisations not tracking data storage devices properly
- A regular mismanagement in the understanding of proper asset management for smaller devices
- Businesses choosing to not encrypt data but instead relying on Multi-Factor Authentication.
What are the risks of compromised data?
There are several risks associated with the leaking of secure data; be that from hardware that should have been disposed of or otherwise. These include:
Risks of leaked data for individuals
- Privacy violations – where data that was intended to be kept private or between an individual and designated third-party is leaked, the information may be passed on to others who weren’t intended to see it
- Identity theft – where PII (Personal Identifying Information) finds its way into the wrong hands, an individual’s identity can be compromised
- Financial fraud – where financial details are picked up by someone malicious, fraud and theft can be committed.
Risks of leaked data for businesses
- Reputational damage – when customers know that a business has compromised their or other people’s data, they lose trust in the brand
- Legal penalties – the business may face legal penalties if they are found to have mismanaged data for which they were responsible
- Financial losses – businesses mismanaging data may be subject to financial fines from regulatory and legal bodies, as well as increased investment required in the ongoing management of any data incident to ensure it doesn’t occur again.
What can businesses do to avoid improper data destruction?
It is critical that businesses take the appropriate measures to ensure data is properly secured and then destroyed when hardware reaches it EOL. There are guidelines provided by NIST and IEEE, which dictate:
- NIST – data should be removed from a device through clearing, purging or destroying the device (applicable to HDDs, flash drives, mobile devices)
- IEEE 2883 – links with the ISO 27040:2024 storage security standard making it applicable for data destruction across the newest tech including NVMe drives.
It is critical, therefore, that businesses choose to work with an ITAD provider who:
- Guarantees to adhere to all legal protocol and best practice standards to avoid any potential data breaches
- Offers a variety of data destruction services to ensure the most appropriate option is used each device and data type
- Properly balances environmental and security risk factors
- Provide a full chain of asset custody management including audit and government-approved data sanitization
- Provides a certificate of full, thorough and guaranteed data removal upon completion of any hardware destruction, refurbishment or resale.
How can Procurri help?
Procurri offers all of the above with our ITAD services while continuing to offer zero-to-landfill ITAD services to ensure we remain Carbon Neutral as a business.
Every asset is managed and tracked through from pick-up and processing right through to redeployment or remarketing, and our data destruction maximises the chances of resale – helping achieve the highest possible residual value,
Want to ensure your data is safe from leaks while continuing to focus on environmental and resale opportunities? Get in touch with the Procurri team today and let us create a bespoke ITAD approach for you!