Destroying old hard drives is the only way to keep corporate and personal information safe

Friends,

Some time ago, one of our clients discovered that one of the major PC manufacturers replaces failed computer hard drives with refurbished drives that may contain confidential information. Let me explain.

When a business purchases a new laptop or a desktop computer from one of the major computer manufacturers such as Dell, HP or Lenovo, most likely it comes with one, two or three years on-site warrantee. It means that if one of the hardware components such as hard drive or motherboard fails, the manufacturer will replace the part and will send certified technician, most likely one of their local partners to your office to install new part. So far, so good right?

Some medium and large size businesses employ platform specific certified techs, or train the existing IT staff to handle replacement of parts in-house in order to save time, and ensure that third-parties do not handle corporate information. In that case, a person responsible for hardware maintenance will be responsible for contacting PC manufacturer in the event of hardware failure identifying the problem and requesting the right replacement part.

Our client, a medium size business, employed such a person. One day, he received a phone call from one of the senior managers stating that fairly new brand name laptop won’t start. He asked to bring the laptop in, and quickly identified failed hard drive. He then contacted PC manufactured, and requested a new, replacement hard drive.

The replacement part arrived in 48-hours and was packaged impeccably resembling brand new product. Having installed new hard drive, to his surprise, the tech realized that new hard drive came with fully installed operating system. I should note that normally, the operating system such as Microsoft Windows is pre-installed by PC manufacturers, meaning that systems administrator has to go through final installation and configuration steps, or in most cases, an enterprise will have pre-configured disk image that includes operating system as well as all standard software applications used within the company.

Now back to the issue at hand. The operating system did not have a password. The shock came when the tech discovered a large amount of data on the hard drive that belonged to another company (!). In short, the hard drive was returned back to the manufacturer and exchanged. The issue was explained, however the manufacturer could not provide any reasonable explanation other than re-state the fact that the hard drive was in fact refurbished, and that their technicians must have made a mistake forgetting to properly erase all data prior to shipping the hard drive.

Businesses of all sizes around the globe have no choice but to refresh old technology and in turn dispose of old technology. For some reason, majority of IT professional that charged with safeguarding corporate data pay more attention to disposal of servers and server components, and at times totally disregard desktop and laptop computers. The issue is that some PCs may contain extremely sensitive information including company’s financial information, trade secrets, employee personal and salary information etc.

So, how can an enterprise ensure that the corporate information does not walk out the door and does not become property of an unintended recipient or a criminal? Many companies rely on simple process of formatting the hard drives prior to recycling old technology. Sounds simple, right? The problem is that even after format, almost any experienced IT professional or PC enthusiast will be able to recover files either partially or completely using widely available software tools. The only way to make sure that the data is safe, is to make sure that the hard drive isn’t operational meaning cannot be connected, powered and read by a computer of any other device.

To achieve that, computer hard drive must be physically destroyed. There are many ways of achieving that goal. We always suggest having professionals do the job. If you are an IT professional and decide to destroy a hard drive yourself, we recommend drilling several holes through the body of the device using simple power drill. After that, you can safely recycle old hard drive through one of the technology recycling companies.

Until next time,

The Driz Group