It is common knowledge that most data breaches are caused by user errors. For example, lax security measures and bad habits create the perfect opportunity for hackers to intervene and steal or encrypt data in a ransomware attack.
While poor security is the number one cause of data breaches, there is another threat that can render even the best security useless: hardware end-of-life.
Want more technical news? Subscribe to the ComputingEdge newsletter today!
How does hardware end-of-life cause data breaches?
Most consumers and many businesses sell, donate, or give away old computers without erasing the hard drive. Deleting files is not enough as deleted files can be recovered easily. Even reformatting a hard drive can leave behind old data.
If you resell a device without erasing your drive, you don’t have to worry about the average consumer looking for a cheap device. However, there are those who routinely buy used devices with the intention of recovering sensitive data.
According to Infosecurity Magazine, criminals retrieve old hard drives from landfills and recover private data to use for identity theft. The same article explains that an Idaho power company contracted to destroy some hard drives, but those drives were resold on eBay and the sensitive data was still there.
End-of-life data breaches are a major problem
It’s not just a few people here and there cleaning up sensitive data from old hard drives. Entire criminal organizations exist for this sole purpose, and they get their hands on sensitive data through legal means such as eBay and Amazon.
To see how big the problem is, in 2018 a data erasure company bought and tested 159 SSD and HDD drives. The company found that 42% of the drives tested still contained data. Notably, the company found photos, names, birth certificates and email addresses on 25 of those drives.
How to prevent end-of-life data breaches
To prevent end-of-life data breaches, your existing information security management system (ISMS) needs to be expanded. For example, security controls and risk management by third parties are critical components of your ISMS. These components need to be expanded to cover hardware end-of-life scenarios where you don’t manage every hard drive with your data.
For example, third-party risk management requires choosing a cloud hosting provider that doesn’t just auction their old servers on eBay without guaranteeing data destruction. To make sure you’re using the right provider, research a company’s business practices and reputation before signing up for their services. For cloud hosting, most people choose Box because they take information security seriously.
When implementing information security controls, it is important to create controls that make it impossible for an unauthorized user to access your data when the device reaches the end of its life. For example, you can ban employees from using their smartphones to access corporate networks to avoid the plethora of problems that can be caused by stolen or recycled smartphones.
You can also limit the data storage to one platform, ban personal devicesand require data to be encrypted on corporate laptops.
It’s easier to prevent data breaches when you own your devices
There are only two ways to avoid this problem with devices under your immediate control – and one is more reliable than the other. The first is to encrypt all data on all devices, and the second is to smash your hard drives before selling a used device.
Which method is more reliable? Technically, smashing your hard drive is more reliable because once it’s broken, it will never be usable again. Encryption provides reliable protection, but only if your decryption key cannot be obtained.
It is not unheard of for hackers to get their hands on an incorrectly stored decryption key, which is why breaking your hard drive is the optimal choice.
How to prevent end-of-life data breaches with hardware you don’t own
Avoiding this problem is more difficult when you don’t own or manage the hard drives where your data is stored. For example, when you store sensitive data in the cloud, you have no control over the physical servers where your files are stored.
If the company replaces their servers by reselling or donating their old machines, your sensitive data can be recovered by the new owner. The best thing to do is to use a cloud storage service that: encrypts data at rest while it is stored on the server.
It’s not perfect, but as long as the company stores its decryption keys properly, encryption provides the most protection against end-of-life data breaches.