Last year, a single lot with 20 servers and over 500 drives came up for sale on Craigslist. The problem—they held 13 TB of data, including one database of 3.8 million customer records and another with 258,000 entries listing full credit card payment details, all unencrypted. The equipment, some of it sent in by customers for repair, had been abandoned by a bankrupt electronics retailer.
This case was ultimately reported after a good tech Samaritan got curious. Most of these breaches, however, never result in a notification email to individuals whose information may have been compromised. In fact, sourcing valuable data from the e-waste stream may be the perfect crime, both profitable and largely undetectable.
The current push toward digital transformation can only exacerbate the problem. Enterprises are rapidly migrating to the cloud. As IaaS and SaaS replace legacy infrastructure and the applications running in the data center, companies are getting rid of on-premises and co-located hardware and, in many cases, closing entire facilities.
Even organizations determined to retain ownership of core business systems are investing in advanced technologies capable of delivering on the promise of the software defined data center and keeping up with the computing demands of Artificial Intelligence.
IT organizations are in a transitional phase, and this is leading to an aggressive cycling of older equipment, which must be decommissioned and processed. Enterprises are courting risk by mishandling the data contained on IT assets sent to the resale market and those tagged for recycling.
The Industry Remains Underprepared
The bane for security professionals is the frequency with which basic measures could have safeguarded confidential information, whether it’s applying a patch to fix a known, or instituting secure asset decommissioning procedures.
Perhaps most disturbing, despite over a decade of reports about the vulnerability of physical assets—remember the Veterans Administration breach?—many data center professionals remain blasé about the threat posed by their used equipment. More than half of organizations content themselves with using free online tools to manually erase data, eventually. Even then, drives may be removed and stored on site for weeks, months, or years before such minimal effort is made to eradicate private information.
The implementation of the GDPR and next year’s roll-out of California’s digital privacy law are increasing the regulatory risk associated with any compromise of sensitive data. The highest cost is often lost reputation, as customers lose trust in the organization’s ability to protect their personal and financial information from bad actors.
Asset Security Measures
Enterprises are right to look to their used IT assets as a potential revenue source. For example, by tapping the resale market, my company generated $42 million for customers over just 12 months. Companies can leverage outsourcing providers to offload such hardware or handle the decommissioning and resale processes internally.
Either way, it’s essential that appropriate procedures be followed to properly decommission equipment – test, wipe, reformat, and when necessary, destroy drives to ensure the highest level of security and keep customer data safe.
Enterprises interested in upgrading their decommissioning security and environmental measures should look to the following resources:
Enterprises interested in upgrading their decommissioning security and environmental measures should look to the following resources:
- U.S Environmental Protection Agencies Waste Wise Program
- European Union’s Waste Electrical and Electronic Equipment (WEEE) Directive
- Standards and guidelines issued by the National Association of Information Destruction, Base Action Network e-Stewards Program
Bypassing an in-depth study of current best practices, a short checklist for responsible decommissioning should include:
- Tracking of all decommissioned hardware at every stage
- Fully quarantined storage with limited, monitored access
- Department of Defense processes for data wiping
- Separate drive reviews by multiple certified technicians to ensure full data destruction
- Shredding of any non-functional disks by a certified provider
- Secure transport of remnants for recycling into raw materials or renewable energy, per government standards
- Documentation of all data destruction and Responsible Recycle certifications
- Third-party auditing to ensure all critical processes are followed
Even as the security industry helps enterprises prepare for increasingly sophisticated cyber-attacks, we must continue to underscore the importance of physical asset security. Companies cannot afford to allow high-profile, technically impressive data breaches covered in the news to distract them from deploying routine safeguards while sensitive information walks out the back door.