A Spring 2009 study on used hard drives by by the University of Glamorgan showed that computers sold on eBay and at computer fairs still contain sensitive corporate data from companies such as Laura Ashley, Lockheed Martin, Ford and Nokia. The school frequently undertakes research on behalf of the police and high-tech crime units, with state-of-the-art facilities and researchers who have an established record in network security and data crime analysis. This study, funded by BT and Sims Lifecycle Services, found that a number of hard drives contained a substantial mixture of corporate and personal data.
Of the 300 drives that were purchased, the most notable one was a disk containing the test launch procedures for the Terminal High Altitude Area Defence missile system. The same disk also contained “security policies, facility blueprints and employee social security numbers belonging to the system’s designer, aerospace manufacturer Lockheed Martin.” The researchers turned the drive over to the FBI when they found some employee data still readable on the drive.
That story is living on because eventually personal data was found that impacted at least one resident of New Hampshire in the United States was affected by the discovery of data from Lockheed Martin on a drive. Lockheed Martin notified some former or current employees that a hard drive that formerly belonged to them had been found for sale on eBay by academic researchers participating in a global research project.
Law Required Reporting of Theft of Unencrypted Data
According to state law, Lockheed had to file a letter with the New Hampshire state’s Attorney General. The report states that:
“We are informing you of this incident because your first and last name and Social Security Number (SSN) were contained on the hard drive in question. This was the only personal information found related to you on the drive. We’ve determined that this information was collected between the years of 1999 and 2001 as part of a process to provide access to employees and guests visiting Cape Canaveral and possibly other Lockheed Martin facilities.”
This leads to any number of questions. Why is a government contractor collecting SSNs? Why didn’t the government contractor encrypt the files for security reasons? Why didn’t they redact the data before selling the drive?
From a time line perspective the data probably should have been encrypted immediately. If it was not encrypted at least it should have been secured via some password protection. Then it should have been deleted when it was no longer needed. Then before the drive was sold the drive should have been wiped.
The list of security and just plain common sense mistakes is long. But perhaps the key is that if the first step had been encryption – all the other errors would have gone unnoticed. When your first step is encryption - you cover yourself on down the line of the life of a hard drive.
