While cybersecurity is now a more prominent topic than ever today, the old blindspots still manage to pop up
Data from a global financial auditing firm, personal medical records revealing data on cholesterol and blood tests and personal company information were all identified and recovered from second-hand hard drives sold online.
Project Harvest, a research project carried out by cybersecurity firm VM Group, analysed 125 second-hand hard drives that were on sale on sites like eBay and Done Deal, where they can be purchased for as little as €10.
From their research, 79 per cent of accessible drives were deleted or formatted but still contained recoverable information while 21 per cent contained data that could be easily recovered. Only 21 per cent of those hard disks analysed were entirely wiped.
On 18 hard drives, there was no attempt at deletion while 12 hard drives had information that could identify the organisation in detail.
All the hard drives were sourced from the Republic of Ireland and were subject to forensic best practice but the founder of VM Group, Dr Vivienne Mee, said this doesn’t mean that only those with expertise can recover data. There are free tools online which can help those without technical knowledge to achieve the same results.
“People will say they’re forensics experts, but the tools we used are open-source and could easily be found online,” she explained. “[They could be] used by anybody to get this information and be accessed by anybody so you didn’t have to be a forensic expert.”
Mee said that the type of information that could be found can be ‘pot luck’ but even considering that, she was shocked to see just how much information the team was able to discover on the drives.
“The key thing we thought was interesting was that 12 hard drives had information from the organisation to be identified,” she said. “Out of those organisations, one was a global financial company that performed financial audits.”
“It’s a massive company which made us think ‘wow’. There were three hard drives from them and we couldn’t believe it. We thought we struck lucky with one drive but we got three of them.”
Delving into data details
The deeper you delve into the data, the worse the situation gets. Out of all the hard drives, fifteen of them contained enough information for individuals to be identified, twelve contained financial material, and nineteen contained copyright material.
The range of companies discovered through this analysis was quite varied too. One involved a graphic designer who had worked for different companies and contained identifying information like purchase order numbers.
Another was a courier company. The team was able to see the financial struggles it was going through. On had belonged to a medical practitioner where patient medical test results, sensitive medical reports and, surprisingly, pornographic images were discovered.
One involved a councillor whose disk had information on management works, council meetings, agendas and planning came to light. Mee said that while such local authority data could have been found in the public arena, it was still interesting to see it on a hard drive.
Other organisations whose information was discovered involved a sales accessories company selling point of sales systems, construction engineers, and a well-known service station.
Many types of personal data were discovered, among them documents such as\ CVs, wedding speeches, weight-loss photos, family photos, and operations manuals.
Perhaps the most damming aspect of the research is how little things have improved over the years.
A stufy by Rits Pondera Ireland in 2007 saw it acquire 30 hard drives from private sellers and found that 80 per cent of them had accessible data on them, with 33 per cent coming from an organisation where the owner was easily identified.
Another by Ernst & Young in 2009 found evidence that Irish companies allowed home-based employees to download sensitive company information and client data onto their personal computers.
From second-hand hard drives, it found sensitive information such as customer bank details, credit and debit card details, staff PPS numbers and corporate information.
If this recent project is an accurate snapshot of the state of cybersecurity, it means that little has changed between then and now, despite growing awareness.
“The results are very similar which I’m shocked about because I would have expected there to be an improvement,” Vivienne Mee said. “I wouldn’t have expected [the research] to have findings of global financial institutions, or well-known service stations.
“I was shocked about this because I would have thought the security postures of those would have been significantly improved since 2003. We’re in the same position really when you look at it.”
The other major point to note, although it won’t be of much use to those companies whose data is out in the open, is that this is not a uniquely Irish problem. Similar projects have been carried out in Britain, North America, Germany, France, and Australia where similar results emerged.
Security is a global problem, and while we equate that with the cloud, malware, and ransomware, it shows how some blind spots can be universal.
Lack of change
The reasons why VM Group wanted to do this research, which began in March, goes beyond just a cybersecurity checkup.
For one, Dr Mee herself has a history in doing these projects. She was involved in the first initial study in 2004, when the University of Glamorgan’s information security research group carrying out the study.
Much has changed since then with greater awareness of cybersecurity issues like data leaks, malware, and ransomware yet while studies were carried out in Ireland, there hasn’t been one in recent times.
Wanting to see if much had improved since then, Mee and her team began compiling data on the second-hand hard drive market. To avoid suspicion, a numer of people bought the drives discreetly in small batches so sellers wouldn’t know the reason for the purchases.
While they were expecting to find sloppiness somewhere, they weren’t expecting such results to emerge, especially considering how crucial security is to companies.
“We didn’t expect to find anything,” Mee said. “We thought we’d find some people’s home drives, personal photos and bits and pieces like that but we were actually quite shocked at what we did find.”
“Especially in today’s world where cybersecurity is spoken about a lot, data disposal is part of the cybersecurity [fabric] and there’s a fear [of being fined for negligence]. People say they do carry out data destruction and any assets that they would have on a removable medium are all encrypted.”
Most worryingly, none of the hard drives analysed by VM Group was encrypted. The team originally expected that they might find one or two where this wasn’t the case.
On a more encouraging note, just over a quarter (27 per cent) of hard drives analysed were completely wiped, decent but the expectation was that this figure was going to be much higher.
That said, Vivienne Mee said that potential factors to consider, among them that there‘s way of finding out whether the purchased hard drives had been lost or stolen.
Yet even if that were be the case, the real problem is that these hard drives were not encrypted in the first place, nor was there any evidence that measures had been taken to ensure data safety.
“You can see that they’re not following through on the full life-cycle of their assets,” Mee said. “The organisations are giving out portable media that’s not encrypted and they’re not doing proper data destruction for those assets. They’re not carrying out proper deletion and if they had encryption, they wouldn’t be in this position.”
“It’s about the cybersecurity mindset of these organisations, especially the likes of the one-man shows like the doctor surgery and maybe the local councillor, [you would imagine] the local authority would be advising on how they should be managing their IT equipment.”
The real impact of regulations
There had been no shortage of cautionary tales out there for businesses to take notice. One high-profile example happened twelve years ago when laptops belonging to four Bank of Ireland sales staff were stolen between June and October 2007.
Managers knew since February 2008 that personal data on 10,000 customers had been stolen but decided not to tell the Data Protection Commissioner until ten months after the first theft. Worse, it started encrypting its laptops only in April 2008 despite the low cost of doing so in the first place.
With current regulations the hope is that a scenario like this would never occur now, yet the research here suggests that this may hope might be misplaced.
Individuals and companies may not realise that doing a simple disk format does not erase data thoroughly, it erases only the address tables. If you have the right tools, much of which can be acquired online, you can retrieve that data.
The fallacy is that if you can’t see or access the data on the surface when you connect your hard drive to your PC or laptop, then it’s gone forever, but as projects like these highlight, there are other ways to access and recover data.
It’s hard to talk about data protection without mentioning GDPR. It was on the tips of everyone’s tongues before and after it came into effect in May 2018 yet, even with the threat of fines and privacy by design, it can feel like companies haven’t internalised its purpose yet.
Considering how much bad actors can join the dots if they’ve access to some sensitive information, it a massive blind spot for companies to allow a situation like this to occur and has made Vivienne Mee wonder what impact regulations really have, if any.
“A lot of these would have been in breach of GDPR,” she said. “It’s over a year ago when it was introduced. I thought we’d have zero results on these studies because everyone was so afraid of these fines. It just goes to show that GDPR had no impact.”
“We were able to read about someone’s blood test and cholesterol test, as well as other companies’ information like employees P60s. That’s not fair on those individuals because someone couldn’t be bothered to do a secure erasure or ensure encryption was enabled on their devices.”
Many of the findings from VM Group’s report highlight how little these regulations are followed. If such data fell into the wrong hands, the personal, corporate, and financial information could easily be used for identity theft and fraud.
The more data points you have access to, the more you can join them up to create a better picture of an organisation or person.
Also, since regulations require companies to report breaches the moment they’re known, such scenarios could be happening unnoticed and businesses don’t realise it.
The most damaging consideration is that this project doesn’t break any new ground. Such research has been going on since 2004 and its concerning that there has been little to no improvement since then.
“We’ll be using it as lessons learned and we’ll be quoting our clients of the research carried out, but if I am honest, if we do quote these to our clients and other potential clients, it’s nothing that they don’t know already,” said Mee.
“Everybody is aware that you are getting rid of the hard drive; you should be deleting it… [and that] information can be easily recovered. It’s not that they’re learning anything new about it, they’re well aware, but it’s highlighting the fact that even though people know about it, it’s not being carried out.”
Tackling blind spots
Going forward, the call to action is pretty obvious. Encryption of hard drives, be it in a personal or professional capacity, is the bare minimum you should be doing.
The good news is that such technologies are already accessible to the average user like Windows BitLocker, the built-in encryption service which not only encrypts your drives but also protects against unauthorised change , for example from malware.
The issue is that businesses aren’t using the tools that are already available to them and therefore are overlooking potential security issues.
“The solutions they put in place, they already have access to them,” said Mee. “If BitLocker was enabled on all these devices, especially if they were laptops or desktops, they wouldn’t be in this position.
“They’re not using security measures that are free and readily available to them so they’re overlooking what they could potentially do. Most organisations will say there’s a cost to it, but there’s no [real] cost to enabling BitLocker.”
Dr Mee’s advice to organisations is to look at what they already have in place and whether these measures were used to protect their devices.
The number of hard drives on the second-hand market is vast. Data breaches make headlines but for any company this is an easy problem to overcome.
“[Some of the earlier reports were] 13 years ago -- quite a long time since they were done and we’re still in the same position,” said Dr Mee. “That’s really shocking.”