The Association of Digital Forensics, Security and Law (ADFSL)
The ever increasing use and reliance upon computers in both the public and private sector has led to enormous numbers of computers being disposed of at the end of their useful life within an organisation. As the cost of computers has dropped, their use in the home has also continued to increase. In most organisations, computers have a relatively short life and are replaced on a regular basis with the result that, if not properly cleansed of data, they are released into the public domain containing data that can be relatively up to date. This problem is exacerbated by the increasing popularity and use of smart phones, which also contain significant storage capacity. From the results of the research it remains clear that the majority of organisations and private individuals that are using these computers still remain ignorant or misinformed of the potential volume and type of information that is stored on the hard disks contained within these systems. The evidence of the research is that neither organisations nor individuals have considered, or are aware of, the potential impact of the information that is contained in the disks from these systems becoming available to an unintended third party. This is the fifth study in an ongoing research programme being conducted into the levels and types of information that remain on computer hard disks that have been offered for sale on the second hand market. This ongoing research series has been undertaken to gain an understanding of the level and types of information that remains on these disks, to determine the damage that could potentially be caused if the information was misused, and to determine whether there are any developing trends. The disks used have been purchased in a number of countries. The rationale for this was to determine whether there are any national or regional differences in the way that computer disks are disposed of and to compare the results for any regional or temporal trends. The disks were obtained from a wide range of sources in each of the regions in order to minimise the effect of any action by an individual source. The first study was carried out in 2005 and since then has been repeated annually with the scope being incrementally extended to include additional research partners and countries. The study in 2009 was carried out by British Telecommunications (BT) and the University of Glamorgan in the UK, Edith Cowan University in Australia, Khalifa University in the United Arab Emirates and Longwood University in the USA. The core methodology of the research has remained unaltered throughout the duration of the study. The methodology has included the acquisition of a number of second hand computer disks from a range of sources and determining whether the data contained on the disks has been effectively erased or if they still contain information relating to previous owners. If information was found on the disks from which the previous user or owner could be identified, the research examined whether it was of a sensitive nature or in a sufficient volume to represent a risk. One of the consistent results of the research through the entire period has been that, for a significant proportion of the disks that have been examined, there was sufficient information present to pose a risk of a compromise of sensitive information to either the organisation or the individual that had previously used the disks. The potential impacts of the exposure of this information could include embarrassment to individuals and organisations, fraud, blackmail and identity theft. In every year since the study started, criminal activity has also been exposed. As has been stated in the previous reports, where the disks had originated from organisations, they had, in many cases, failed to meet their statutory, regulatory and legal obligations. In the 2009 study, the fifth in the series, the research methodology that had been followed in the previous studies was repeated, but in addition Khalifa University of Science Technology and research contributed to the analysis of the disks.
AlertsecXpress (2010), AMR Data Breach: 79000 Employees info at risk, 12 Jul 2010, http://blog.alertsec.com/2010/07/amr-data-breach-79000-employeesinfo-at-risk/ (Accessed 12 July 2010)
BBC News (2008), HSBC loses customers' data disc, http://news.bbc.co.uk/2/hi/7334249.stm (accessed 20 Oct 2010)
BBC News (2009), Previous cases of missing data, http://news.bbc.co.uk/2/hi/uk_news/7449927.stm, (accessed 20 Oct 2010)
BBC News (2010), Zurich Insurance fined £2.3m over customers' data loss, 24 Aug 2010, http://www.bbc.co.uk/news/business-11070217, (accessed 20 Oct 2010)
Canadian Globe and Mail (1993), Disk Slipped Into Wrong Hands, Canadian Globe and Mail, 2 Aug 1993. (Accessed 25 Feb 2009)
Garfinkel S.L, Shelat A, (2003), Remembrance of Data Passed: A Study of Disk Sanitization Practices. IEEE Security & Privacy, Vol. 1, No. 1, 2003.
Gedda, R., Govt agencies losing portable data: Privacy Commissioner, Techworld, 08 May 2009, http://www.techworld.com.au/article/302500/govt_agencies_losing_portable_d ata_privacy_commissioner, (Accessed 12 July 2010)
Identity Theft Resource Centre (ITRC). (2008), Security Breaches 2008, http://www.idtheftcenter.org/artman2/publish/lib_survey/Breaches_2008.shtml , (Accessed 16 Sept 2010)
Identity Theft Resource Centre (ITRC). (2009) 2009 ITRC Breach Report, http://www.idtheftcenter.org/ITRC%20Breach%20Report%202009.pdf (Accessed 16 Sept 2010) Identity
Theft Resource Centre (ITRC). (2010), 2010 ITRC Breach Report, http://www.idtheftcenter.org/ITRC%20Breach%20Report%202010.pdf (Accessed 16 Sept 2010)
Information Commissioner’s Annual Report 2009/10, http://www.ico.gov.uk/upload/documents/library/corporate/detailed_specialist_ guides/annual_report_2010.pdf, (accessed 24 Sept 2010)
InfoSecurity, British firms warned over laptop data lethargy, 12 October 2010, http://www.infosecurity-magazine.com/view/13141/british-firms-warned-overlaptop-data-lethargy/, (accessed 24 Sept 2010)
Johannes, R. (2006), The Demographics of Identity Fraud: Through education and vigilance, banks can prepare and protect those most vulnerable, Javelin Research, http://www.javelinstrategy.com/uploads/607.R_2006_IDF_Demographics.pdf, Aug 2006. (Accessed 04 Aug 2010)
Jones, A., Mee, V., Meyler, C., and Gooch, J,(2005), Analysis of Data Recovered From Computer Disks released for sale by organisations, Journal of Information Warfare, (2005) 4 (2), 45-53.
Jones, A., Valli, C., Sutherland, I., and Thomas, P,(2006), The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market, Journal of Digital Forensics, Security and Law, (2006) 1 (3), 23-36.
Jones, A., Valli, C., Sutherland, I., and Dardick, G., (2008), The 2007 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market, International Journal of Liability and Scientific Enquiry 2009 - Vol. 2, No.1 pp. 53 – 68.
Kouns, J. 2010, Ministry of Defence reports more than 1, 500 data loss incidents in the last five years, 15 Apr 2010, Seclist.org, http://seclists.org/dataloss/2010/q2/35
Kouns, J., 2010, ABC foul-up sees users' data exposed, 7 Oct 2010, Seclist.org, http://seclists.org/dataloss/2010/q4/2
Ponemon, (2009), 2009 Annual Study: French Cost of a Data Breach, Ponemon Institute, http://www.encryptionreports.com/
Price Waterhouse Cooper (2006), DTI Information security breaches survey 2006, http://webarchive.nationalarchives.gov.uk/tna/+/http://www.dti.gov.uk/files/fil e28343.pdf (Accessed 07 Oct 2010)
Price Waterhouse Cooper (2008), 2008 Information Security Breaches Survey, http://www.bis.gov.uk/files/file45713.pdf (Accessed 07 Oct 2010)
Singel, R., Probe Targets Archives‟ Handling of Data on 70 Million Vets, 1 Oct 2009, Wired.com http://www.wired.com/threatlevel/2009/10/probetargets-archives-handling-of-data-on-70-million-vets/, (Accessed 07 Oct 2010)
Techweb, (2005), Seven-In-Ten Second-hand Hard Drives Still Have Data, Bank Systems and Technology, 01 Jul 2005, http://www.banktech.com/riskmanagement/showArticle.jhtml?articleID=165600008. (Accessed 07 Mar 2009)
Valli, C. (2004), Throwing out the Enterprise with the Hard Disk, In 2nd Australian Computer, Information and Network Forensics Conference, WeBCentre.COM, Fremantle Western Australia.
Verizon Business Risk Team, (2008), Data Breach Investigations Report, http://www.verizonbusiness.com/resources/security/databreachreport.pdf , (Accessed 07 Oct 2010).
Verizon Business Risk Team, (2009), 2009 Data Breach Investigations Report, http://www.verizonbusiness.com/resources/security/reports/2009_databreach_r p.pdf, (Accessed 21 Oct 2010)
Verizon Business Risk Team, (2010), 2010 Data Breach Investigations Report, http://www.verizonbusiness.com/resources/reports/rp_2010-data-breachreport_en_xg.pdf (Accessed 21 Oct 2010)
Von Bergen, (2010), Health insurers say data on 280,000 Pennsylvania clients may be compromised, The Philadelphia Inquirer, 20 Oct 2010. http://www.philly.com/inquirer/business/20101020_Health_insurers_say_data_ on_280_000_Pennsylvania_clients_may_be_compromised.html#ixzz13LZbXl pk
Westervelt, R., (2009), Health Net healthcare data breach affects1.5 million, 19 Nov 2009, http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374839,0 0.html, (Accessed 07 Oct 2010)
Jones, Andy; Valli, Craig; Dardick, Glenn S.; Sutherland, Iain; Dabibi, G.; and Davies, Gareth
"The 2009 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market,"
Journal of Digital Forensics, Security and Law: Vol. 5
, Article 3.
Available at: http://commons.erau.edu/jdfsl/vol5/iss4/3