The global datasphere, i.e., total data created, captured, and replicated, is growing rapidly, and it is expected to reach 175 ZB by 2025 as per IDC Data Age 2025 report. Majorly, organizations store and process this humongous data, including their customers’ personal data, business intelligence, and other sensitive information. This data requires constant protection against threats and vulnerabilities emerging across the data lifecycle stages spanning collection, storage, processing, sharing, retention, and destruction.
Notably, the storage hardware— bearing this sensitive data throughout its lifecycle— is the single overarching element that plays a decisive role in the organization’s ability to attain failsafe & end-to-end data protection & security.
It is widely known that actively used storage devices, including PCs, hard drives, and servers, get round-the-clock data protection using antivirus, firewall, IT surveillance, etc. Organizations take rigorous policy-driven measures to protect sensitive data from threat actors like hackers and malware that lay siege to their storage hardware and network through cybersecurity attacks and data interception. However, data security at the end-of-life of IT assets is largely overlooked — i.e., the procedural data protection rigor tumbles when the storage devices transition to their disposal stage. Generally, such old IT assets are beyond the purview of cybersecurity protocols; however, they yet store sensitive data, posing risks of data leakage, data breaches and penalties. Failure to destroy this data adequately can result in data breach incidents with severe repercussions like financial penalties, loss of reputation, customer loss, and litigation. Therefore, the data stored on legacy IT assets must be safely disposed of using the recommended data destruction techniques.
There are several real-world situations involving the neglect of data security or insufficient measures for safe disposal of old IT assets, leading to sensitive information leakage as follows:
An organization might inventory its data-bearing legacy hard drives, computers, and servers in their warehousing facility before sending them to an ITAD facility for shredding or recycling. Such bulk inventoried devices are at risk of theft or loss due to lapses in physical security, surveillance loopholes, misappropriation, etc., and can fall into the wrong hands. In this scenario, the organization, despite following formal disposal measures like shredding, assumes an immense risk of data leakage emanating from the stockpile of devices until they are shredded. The situation can cause sensitive information leakage, resulting in compromising of trade secrets & personal data, falsification of records, litigation, brand damage, etc.
Storage media formatting and factory resetting are methods to prepare the device for fresh use. However, these are not secure methods to attain permanent data removal from the storage device as any freely available DIY data recovery software can recover the deleted data from a formatted device. For example, an organization’s IT asset management team may format the end-of-life hard drives and PCs before selling them. The vendor could refurbish the devices without adequate data disposal measures and sell them in the secondary market.
One of the world’s largest lab study of second-hand storage media conducted by Stellar® provides empirical evidence of the lack of awareness concerning safe data disposal practices. The study, investigating the world’s largest known sample of 311 used storage devices acquired from the secondary market, revealed that 7 out of 10 used devices were flush with sensitive information. About 25% of these devices were disposed of after formatting or deletion without awareness that data was still inside the storage media in a recoverable form.
Data security issues concerning end-of-life IT a
ssets might also crop up due to faulty practices when trusting third-party vendors with the disposal of used storage hardware. In this regard, having an ironclad contract that demarcates vendor responsibilities is crucial for safe and compliant data disposal downstream, beyond the custodian organization’s direct supervision.
However, despite having explicit paperwork, organizations may fail to follow through the process and maintain the vendor-supplied documentation that attests to compliant data disposal. This situation could lead to a data breach incident which would invariably hold the organization responsible in the absence of the necessary audit trails. The Morgan Stanley data breach incident that involved reporting of unwiped data on the company’s decommissioned servers— handed over to a vendor for data destruction & disposal— underscores the need for stringent vendor management practices and audit trails.
Organizations may choose to donate a bulk of their old IT assets to fulfill CSR obligations. This is another situation where storage devices transition the chain of custody and land up with an unknown third party. If such devices are not sanitized using an appropriate data destruction method like data erasure, they might expose sensitive personal and business data to nefarious entities, resulting in data theft.
In a similar scenario, an organization may auction its old IT assets to salvage the residual value or abandon them in circumstances like bankruptcy. Such devices released from custody without proper data disposal could leak sensitive information, resulting in “backdoor breach.” The Netlink Computer Inc. (NCIX) case illustrates this risk scenario. The company had abandoned its old IT assets that later appeared on Craigslist. The devices were found to have 13 TB of data comprising 4 million database records.
Disposing of storage devices containing sensitive data can lead to significant data security issues, eventually leading to multiple risks as follows:
Security breaches can lead to immense financial losses through fraudulent transactions. Breach of customers’ sensitive data such as online banking credentials and credit card details makes the organization liable for paying the damages.
A data breach incident can trigger legal action, including lawsuits by customers, resulting in massive penalties. For example, GDPR violation can result in fines of up to 4% of the company’s annual turnover or €20 Million. Similarly, HIPPA violations can impose penalties of $50,000 per violation for willful neglect.
An information security breach can dent a company’s image, culminating in bad publicity, reputation and customer loss. Aside from financial losses, the situation can have a lasting “strategic” impact on the company’s competitive positioning in the market.
Security breach and theft of corporate data such as intellectual property and business intelligence can flatten an organization’s competitive advantage, razing its long-term positioning.
Overlooking data security at the end-of-life of IT assets can result in data breach incidents that could impose penalties in the tunes of several million dollars. For many organizations, such sizable fines could mean bankruptcy.
Suggested Reading: Unsafe Data Disposal: Risk Implications for Organizations
Data erasure (or data wiping) is one of the most effective methods to destroy sensitive data stored on PCs, external hard drives, servers, etc. The method uses the technique of ‘overwriting’ the existing information with binary patterns like 0s and 1s such that the data is destroyed forever with no chances of recovery even using laboratory services.
The best way to perform data erasure is using a professional software such as BitRaser Drive Eraser — a tool that can wipe the data stored on all types of hard disk drives and solid state drives used in PC, Mac, and servers to ensure protection against sensitive information leakage.
Data protection and security are crucial business needs considering the prodigious growth of sensitive data, needing rigorous management across the lifecycle stages. While cybersecurity measures protect sensitive data leakage from storage devices during their active usage, the data protection levels dip at the end-of-life of IT assets. Inadequate data disposal is a key concern in regards to disposal of legacy IT assets that can culminate in major data security issues such as sensitive data leakage. The situation can jeopardize the organization’s data privacy goals with consequential impact in the form of financial losses, legal action, etc.
Data erasure provides an effective method for safe disposal of the end-of-life IT assets by overwriting the sensitive information, guaranteeing permanent data destruction with no possibilities of recovery using any method or technique.