[BreachExchange] End-of-Life Devices Pose Data Breach Risk

Destry Winant destry at riskbasedsecurity.com
Wed Dec 11 10:21:01 EST 2019


GDPR, CCPA and the rest of the alphabet soup of privacy laws should
have organizations looking more deeply at how and where they store and
use data. While most companies have improved their approach to data
security in response to privacy laws, too many continue to ignore the
data sanitization of devices at end of life, and this exposes the
organization to data breaches. New research from Blancco Technology
Group found that, globally, organizations’ overconfidence in their
data sanitization methods makes them more vulnerable to a data breach,
and nearly three-quarters of those surveyed point to the potential
problems caused by end-of-life devices.

Data breaches at device end-of-life is a very big problem, said
Fredrik Forslund, vice president, Enterprise and Cloud Erasure
Solutions at Blancco, in an email interview. For example, a few months
ago while researching how often sensitive data remains on pre-owned
technology, Blancco purchased 159 drives from professional sellers
using eBay in the U.S., UK, Germany and Finland. All of the drives
were “guaranteed” by the sellers to be clean from data. That wasn’t
the case, however: Almost half (42%) still contained data, with 15% of
the information being PII and/or corporate data. Forslund said in that
study they found:

A drive from a software developer with a high level of government
security clearance, with scanned images of family passports and birth
certificates, CVs and financial records.
5GB of archived internal office email from a major travel company.
3GB of data from a cargo/freight company, along with documents
detailing shipping details, schedules and truck registrations.

Failing to make sure that devices are wiped clean of data sets up
organizations for data breaches and violations of data privacy laws.

Where the Risks Are

According to the results in this most recent study, “A False Sense of
Security,” 36% reported relying on inappropriate data removal
methods—using data wiping methods such as formatting, overwriting
using free software tools or paid software-based tools without
certification or physical destruction (both degaussing and shredding)
with no audit trail.

That is just one of the ways that organizations are risking their
data, according to the report. Another risk is in the storage of these
end-of-life devices. Eight in 10 said they have a stockpile of
out-of-use equipment sitting in storage, and more than half admitted
that it takes them more than two weeks to get around to data
sanitization of those devices. Another area of risk is the lack of a
clear chain of custody of the audit trail for these end-of-life
devices, and that includes transporting them to a facility where they
are physically destroyed.

The most common issue is a lack of awareness of what is a secure and
reliable process for asset disposition, said Forslund. “Companies may
do a format or use freeware and assume this is sufficient; however,
not running a process where you can confirm that all assets have been
processed results in having data left on assets and ultimately can
lead to data breaches.”

He recommended using best practice standards and ensuring an audit
trail to verify that all assets are covered. What does that look like?
According to the report, it includes a review of the current processes
and policies that are to be followed by all employees and building
integration into asset management solutions to automate process flow,
among other steps.

“It is also important to ensure that there are no delays or possible
loopholes,” he added. “Often policies on how to run a strong IT asset
disposition process and proper data sanitization are out of date or
not properly implemented, which can be another factor that leads to
poor outcomes.”

When asked what he sees as the biggest and most important takeaway of
this study on the risks of data breaches in end-of-life devices,
Forslund stressed those best practices policies.

“Update your policy, enforce that policy, and make sure implemented
best practice is as automated and integrated into your asset
management and data management as possible,” he said. “Do not wait
until end of life of the asset to start thinking about what to do. Be
proactive and always a step ahead!”

More information about the BreachExchange mailing list