Tom Bartel – a long time colleague going back to the early days of Email Publishing in the mid-1990s and a hardcore privacy advocate currently working at Return Path – mentioned a powerpoint presentation by Simson Garfinkel titled Remembrance of Data Passed: Used Disk Drives and Computer Forensics. While I don’t know Simson, we were both in the same year at MIT (87) and I remember him as the guy that always had articles and photos in a variety of MIT-related publications and I’m reminded of it every time I see an article by him in Technology Review.
If you care about data security and privacy, it’s worth downloading the powerpoint and scanning through it. Simson bought 235 used hard drives between 11/2000 and 1/2003 from eBay, computer stores, and swap meets. He set up a technical infrastructure to mount the drives, image them (using FreeBSD), store the images on a RAID server, store the metadata in a MySQL database, and then mine the data.
Not surprisingly, he found a huge amount of data, including confidential information such as medical records, HR correspondence, and financial data. For example, Drive #134 was from an ATM in a Chicago bank. It contained one year’s worth of transactions, including over 3,000 card numbers. In this case, the bank had apparently hired a contractor to upgrade the ATM machines – the contractor hired a sub-contractor. The bank and contractor assumed the disks would be properly sanitized, but there were no procedures specified in the contract. As a result, the drives weren’t sanitized correctly and the data was still on them for Simson to play around with.
In addition to explaining the problem and substantiating it with real data, Simson makes a number of suggestions for how to address the issue. Two of his more severe (but logical) suggestions for cleaning all the data off of used drives are (a) to degauss them with a Type 1 or Type II degausser or (b) destroy, disintegrate, incinerate, pulverize, shred, or melt the drive. Simson’s ultimate prognosis is that “drive slagging is a fool-proof method to prevent data recovery.” Just be careful not to light your house (or office) on fire.
Simson logically ponders this issue, especially in our current Patriot Act governed world. For less than $1,000 and working part time, he was able to collect thousands of credit cards, detailed financial records on hundreds of people, and confidential corporate files. He concludes by asking – “who else is doing this?”