In a study released last month, secure data management firms Kroll Ontrack and Blancco Technology Group found that in a set of used hard drives bought online, nearly half came with data left behind by previous owners.
And it wasn’t that those previous owners didn’t care about the information left on the disks, the companies said. In fact, 75% of the drives with data still on them showed signs users had attempted to wipe the drives, but didn’t succeed at fully erasing their contents.
“One of the more glaring discoveries from our study is that most people attempt in some way or another to delete their data from electronic equipment,” Blancco IT security consultant Paul Henry said in a statement when the study was released. “But while those deletion methods are common and seem reliable, they aren’t always effective at removing data permanently, and they don’t comply with regulatory standards.”
In some ways, the study’s findings only underscore what’s been known for some time: Users on the computer forensics site Forensics Wiki have compiled a list of more than a dozen studies and news reports documenting similar results—hard drives sold with data, often including potentially sensitive information like medical records, still on them—dating back to 2003. One researcher who’s developed cryptographic approaches for guaranteeing discarded data becomes truly inaccessible says she first began that line of research around the time of the Microsoft antitrust trial in the late 1990s.
“What happened was, while I was at Sun [Microsystems], the CEO happened to be in my office right when Microsoft had been in the news getting embarrassed by old emails that they thought had been deleted that could be recovered from backup,” recalls Radia Perlman, now an industry fellow at storage giant EMC. “He mumbled something about, ‘It would be really good to make sure that data you want gone is really gone.’”
And even as information continues to be exposed through discarded hard drives, the explosive growth in mobile computing, cloud data storage, and the Internet of Things have led to more avenues for imperfectly deleted data to make its way into the wrong hands. The study by Blancco and Kroll found more than a third of a sample of used mobile devices had residual data on them, and Blancco Technology Group CEO Pat Clawson says he’s even found personal data unwittingly left behind after being synced to the dashboard computers of rental cars.
“I just rented one recently,” he says, “and I’ve got ‘Randy’s contacts on Randy’s iPhone’ right there on the screen.”
Part of the problem, Clawson says, is that the tech industry hasn’t always made it easy for users to figure out how to delete their information, and hasn’t made clear the difference between secure erasure techniques—where data is actually overwritten on a storage device multiple times to render it truly unrecoverable—and quicker modes of deletion where disk space is merely marked as reusable.
“People think their data’s been destroyed, and really all you’re doing is removing the table of contents,” says Clawson, whose company makes secure data erasure tools. “The rest of the chapters of the book are sitting there waiting to be discovered.”
Still, Clawson says, companies and individuals alike are becoming more aware of the need to reliably purge information, partially due to high-profile data breaches like Ashley Madison’s, and partially due to stricter government and industry standards, like HIPAA and the credit card processing PCI standards. For many companies, that means looking closely at how they handle data both internally and on computers in external and cloud-based data centers.
“When you’re dealing with cloud or virtual environments, you’re reaching down and first erasing the virtual,” he says. “The long-term disposition of the physical storage medium needs to be addressed as well.”
Secure deletion is something that can be addressed in companies’ agreements with cloud and storage vendors, says Clawson, and vendors do increasingly offer such guarantees.
In fact, says Rand Wacker, the vice president of enterprise product at the file-sharing company Box, some companies see a move to secure cloud storage and file-sharing tool as an improvement on pre-existing, ad hoc ways of managing data.
“It’s really interesting talking to many of these risk and compliance officers in organizations—they actually see the cloud as an opportunity to help centralize and get more control of it,” Wacker says. “It’s been such a challenge for them knowing that content is just sprawled across laptops and network drives and all these different places.”
Box, which offers HIPAA-compliant storage for health data and is certified compliant with the ISO 27001 international data security standard, encrypts customer files and scrubs every copy of them from its servers on deletion, he says.
“Every last instance of a file–these are the encrypted instances– are scrubbed from the Box servers and all of the distributed storage of that file,” Wackersays.
Of course, that only addresses copies of the data stored in Box, so customers still need to decide what to do about data that might be stored elsewhere, like in offsite backups.
And for particularly sensitive data, companies can use other security tools to make sure they know where each copy of the information lies. They can, for instance, use tools that need to grab a decryption key from a central server before they can decrypt and work with data, says Paula Long, the CEO of DataGravity, a New Hampshire company that sells storage servers with built-in data tracking and security capability. “The problem is, the more secure you want to make it, the more complex and cumbersome it gets for anybody to use the data,” she says, and there’s no way to build a completely foolproof security system.
Modern storage systems like Box’s cloud network or DataGravity’s servers can help companies track where files are copied, when they’re stored in filesystem snapshots and backups and when they’re accessed in an unusual way that might indicate a breach. But they generally can’t track where data goes once it’s allowed to leave secure systems, so companies need to be vigilant about using third-party systems with the levels of security guarantees they want.
“Part of that has to really deal with your security posture, your risk tolerance,” says Clawson.
Fast-moving startups might transfer data to third-party systems without thinking too deeply about exactly how that data’s being stored, but if they later decide to get more vigilant, even the most sophisticated security systems will have difficulty figuring out where all those files and records have gone.
“You can’t track anything that happened in the past,” says Long, “because we weren’t there to capture the history.”