When we talk about data protection, we immediately imagine various contexts. The news suggests the GDPR and the protection of privacy. CISOs will think of industrial secrets to protect the economic activity of their employer. And above all, the military will (not) talk about classified informations.
After this evocation, we then talk about a whole panoply of organizational and technical measures which will guarantee the confidentiality of the data stored: authentication, access control, authorizations, partitioning, cryptography,… Your situation being unique, the choice of means to be implemented will be based on the benefit / risk ratio and the value of the data that you must take care of.
Focusing on the value of the data is of course essential in choosing the protection measures but can make you forget the physical media which store this data, its lifecycle and in particular, its disposal.
As you will see, this step is too often overlooked which lead to… hum… embarrassing moment for their owners.
To remind you of the importance of this, we offer you three short stories. They come from our experiences but in order not to harm the people concerned, some elements have been anonymized.
A casual guy
Richard, like many people, has a computer at home with which he goes online. This is super convenient because he can do his administrative procedures, access his bank accounts and do his shopping online. Single, Richard also uses it to chat on dating sites with other single people, and other adult activities.
Until someday, when his old PC got slower and slower to the point he didn’t even want to boot itself. So, with his savings, Richard bought a brand-new one and threw the old one in the bin.
What Richard didn’t know was that Jerome lives in the same building. A curious young man who has just discovered underground magazine including an article in Cryptel n ° 2 - Trashing report - which talks about rummaging through France Telecom’s garbage cans (we are in 1998). So when Jerome saw Richard’s old PC in the trash, he thought “me too!”.
The PC was definitely out of order, but that did not prevent Jerome from plugging the old hard drive into his own computer to browse its contents and recover, amongst other things, internet browsing history, emails, access codes, water and electricity bills, scans of identity cards, driving licenses, bank cards and, finally, three sextapes from Richard and latino93.
A university laboratory
It is common knowledge that public research is under budget. To equip themselves with PC, computer labs have no problems but other sciences have to make painful trade-offs. This is how biologists sometimes have to use their computers to the limit in order to acquire some expensive equipment.
When Jane was told that we were replacing Germaine, her old Compaq who was struggling with a brand new HP (with a Core 2!), she jumped for joy. No time to waste, there is so much to do with this new HP that Germaine is placed with old boxes in front of the entrance to the building. Jane will find plenty of time later to go to the recycling center.
Actually no. Because the building is on the path of students going to the University Restaurant, including Sylvie, a computer science student, who did not fail to spot the lonely Germaine and her boxes. So with some friends, they decide to save her and organize her exfiltration. It’s exhilarating, it’s fun.
Once at home, Sylvie sucks up the dust from Germaine and starts it up again. Before installing a new Linux system (Slackware 12), she takes the opportunity to search the hard drive.
Amidst earthy team reports and a few scientific papers, Sylvie stumbles upon the topic of the next exams. That’s good, she just has friends in this matter…
A military center
When state services no longer use certain materials, they are sold to the domains (custom translation of the french «domaines» where those old material are sold). During sometimes epic auctions, the highest bidder can become the proud owner of 164 pairs of combat shoes (batch n°50, size 35 to 50), 11 electrician’s toolboxes (batch n°136 code EMAT 555011K1) or 12 Wheeled Armored Police Vehicles (batch n°22, for approximately 84 tonnes of scrap).
That day, a batch of 20 PCs (Dell optiplex GX240 with Pentium 4) was put on sale, for the second time, at 200€. No one bidding, Martin, from the back of the room, offers 1€.
In order to avoid to sale them a third time, the auctioneer accepts. After having paid the commission of 11%, that is to say a total of 1.11 €, Martin leaves with his voucher and discovers that the PCs are in a military center in the countryside… A trip later, the 20 PC are at Martin’s house. Good surprise, they are complete, in good condition and can therefore be reconditioned.
Even the records are there. But what to do with it? Martin is curious but he doesn’t want any problems… So he suggests to military friends from another army division to provide him with 20 new discs in exchange for the 20 used ones so that they can search them, and then tell him if there was valuable data.
Good thought because these discs had not been erased and contained, among other things, NATO maneuver plans… So 5 years of imprisonment and a € 75,000 fine were avoided (article 413-11 of the penal code).
To be fair, data recovery from discarded media is still very hit and miss. During a search, you can hardly predict whether media will be present, whether it will still contain data, and whether the recovered data will be useful (or valuable). This approach is therefore opportunistic or reserved for cases of economic / military intelligence.
Before dealing with this risk, one might be tempted to conduct a comprehensive risk analysis. By measuring the likelihood of a scrap recovery and the severity if data were exposed, you could then determine whether a specific protective measure is necessary.
This is a bad idea because most of the time the answer will be “the risk is too low” and you will miss out on the side benefits that you get from treating it.
By placing a paper shredder (DIN 3 is a minimum) and a prominent erase dock (ie next to the printer), you not only secure the disposal, but more importantly, both of these devices, will act as permanent reminder, leading to an awareness of the importance of media and data and in fine to IT security problems.