How to Avoid Data Breaches Caused by Hardware End-of-Life
Share this on:
It’s common knowledge that most data breaches are caused by user error. For example, lax security measures and bad habits create the perfect opportunity for hackers to swoop in and steal or encrypt data in a ransomware attack.
Although poor security is the leading cause of data breaches, there’s another threat that can render even the best security worthless: hardware end-of-life.
How does hardware end-of-life cause data breaches?
Most consumers and many businesses sell, donate, or give away old computers without erasing the hard drive. Deleting files isn’t enough because deleted files can be easily recovered. Even reformatting a hard drive can leave old data behind.
If you resell a device without wiping your drive, you don’t need to be concerned about the average consumer looking for a cheap device. However, there are people who routinely purchase used devices with the intention of recovering sensitive data.
According to Infosecurity Magazine, criminals salvage old hard drives from landfills and recover private data to use for identity theft. The same article explains that a power company in Idaho contracted to have a bunch of hard drives destroyed, but those drives were resold on eBay and the sensitive data was still present.
End-of-life data breaches are a major problem
It’s not just a few people here and there who scavenge sensitive data from old hard drives. Entire criminal organizations exist for this sole purpose, and they get their hands on sensitive data through legal means like eBay and Amazon.
To see how big the problem is, in 2018, a data removal company bought and tested 159 SSD and HDD drives. The company found that 42% of drives tested still contained data. Specifically, the company found photos, names, birth certificates, and email addresses on 25 of those drives.
How to prevent end-of-life data breaches
Preventing end-of-life data breaches requires extending your existing information security management system (ISMS). For example, security controls and third-party risk management are critical components of your ISMS. These components need to be extended to cover hardware end-of-life scenarios where you don’t control every hard drive containing your data.
For example, third-party risk management requires choosing a cloud hosting provider that won’t just auction off their old servers on eBay without ensuring the destruction of data. To ensure you’re using the right provider, you’ll need to look into a company’s business practices and reputation before signing up for their services. For cloud hosting, most people choose Box because they take information security seriously.
When implementing information security controls, it’s important to create controls that make it impossible for an unauthorized user to access your data when the device reaches the end of its life. For instance, you can prohibit employees from using their smartphones to access company networks to avoid the plethora of problems that can come from stolen or recycled smartphones.
You can also limit data storage to one platform, ban personal devices, and require data to be encrypted on company laptops.
It’s easier to prevent data breaches when you own your devices
There are only two ways to avoid this problem with devices in your immediate control – and one is more reliable than the other. The first is by encrypting all data on all devices, and the second is to smash your hard drives to bits and pieces before selling a used device.
Which method is more reliable? Technically, smashing your hard drive is more reliable because once it’s smashed, it will never be usable again. Encryption provides reliable protection, but only when your decryption key is unobtainable.
It’s not unheard of for hackers to get their hands on an improperly stored decryption key, therefore, smashing your hard drive is the optimal choice.
How to avoid end-of-life data breaches with hardware you don’t own
Avoiding this problem is harder when you don’t own or control the hard drives where your data is stored. For example, when you store sensitive data in the cloud, you don’t have control over the physical servers that store your files.
If the company replaces their servers by reselling or donating their old machines, your sensitive data could be recovered by the new owner. The best thing you can do is use a cloud storage service that encrypts data at rest while it’s stored on the server.
It’s not perfect, but as long as the company properly stores its decryption keys, encryption will offer the most protection from end-of-life data breaches.