Why does the secure erasure of data matter?

Thursday, January 30, 2020 by Milagros Gamero

The Radicati Group estimates that in 2021, we will be sending 320 billion emails a day. An incomprehensible amount of data. Businesses are producing more big data than ever before and at an increasingly fast volume.  Organisations must, therefore, understand why the secure erasure of sensitive data is so critical.

According to New Vantage's 2019 Big Data and AI Executive Survey, 91.6% of organisations are investing in big data and AI. They are doing this to ensure their transformation into agile and competitive businesses. When you look at these figures, it can be hard to comprehend the scale of the average company's data footprint.

Businesses today not only have tape backups and hard drives to contend with, but they also have mobile devices, memory cards and now, more than ever, virtualised environments. No matter what data a company produces, managing it securely and compliantly – not just in storage and transit, but also at the end of its lifecycle is essential.

Everyone ought to understand the importance of erasing data. Whether you're selling a second-hand smartphone on eBay or you're a business adhering to legal obligations to destroy sensitive information, ensuring you use secure data destruction practices can save you or your company from facing challenging circumstances like a data breach.

Recent examples of secure data erasure failures

Nonetheless, some consumers and businesses exhibit a surprising degree of negligence in this respect. In 2019, a significant privacy breach occurred in Japan where 18 hard drives used by the Kanagawa Prefectural Government to store taxpayers' data were auctioned online instead of being destroyed. Sold online by an employee of a Tokyo-based recycling company, the hard drives were meant to be securely destroyed. The data on the sold devices totalled 27 terabytes and included individuals' names, addresses, and tax payment records. A man contacted the prefectural government after buying nine of the drives online, which alerted the government to the situation. Even though the government had deleted the data, the buyer was able to restore the data quickly using specialised data recovery software.

In the same year, a  study commissioned by Ontrack in partnership with data erasure specialist, Blancco analysed 159 second-hand drives bought from eBay. The results were staggering finding sensitive residual data on 42% of the drives, with 15% containing personally identifiable information including passport information, birth certificates, university papers, financial records, and photos.

What's the difference between deletion and erasure?

Deletion and erasure may sound the same, but these are two terms not to be confused. Data deletion leaves data recoverable, while data erasure is permanent; this is especially important for businesses, as getting these two terms confused can present significant issues under the conditions of the EU GDPR.

There is a lot of confusion around the definition of data erasure. Most of the trouble comes from the varying methods available to achieve it, for example, factory resets, reformatting, and data wiping are all methods that are not capable of performing data sanitisation. Still, the vast majority of organisations believe these methods are suitable; this results in organisations leaving themselves vulnerable to a potential data breach.

Without suitable data disposal methods in place, an organisation can't guarantee that it can protect its customers' sensitive information.

What makes data destruction secure?

As the above cautionary tales demonstrate, not taking pains to erase data securely can lead to catastrophe. In an age of increasingly smart, interconnected technology, it bears remembering that every byte of electronic information exists in physical form – no matter what it looks like on-screen, there's a hard drive platter or memory chip somewhere that's ripe for the taking.

Businesses and consumers need to, therefore, keep track of data assets that have come to the end of their lifecycle, and then destroy them at their origin. This might not sound like too complex a job – even someone with a rudimentary knowledge of technology might be familiar, in theory, if not in practice, with concepts like a disk format or factory reset. Failing that, it might still occur to them to toss an old laptop into a skip rather than risk its unauthorised reuse.

Unfortunately, secure data disposal isn't that simple. None of the above methods guarantees that the information stored on those devices won't be recoverable – in fact, it might take little more than a few minutes with a free data recovery software package to retrieve it.

What's wrong with a hard drive format?

The common assumption of a hard drive format is that it wipes the medium outright; this is not true as most of the time a format leaves almost all of the data intact. Its purpose is to strip out the existing file system – if any – and generate a new one, not to securely and permanently erase sensitive information. The operating system might not be able to read it as usual, but it's still there.

For a simple analogy, think of a hard drive as an enormous library in which books represent individual files. A quick format is an equivalent of throwing away the catalogue. It might be challenging to navigate the library without it, yes, but the books are very much still in existence. As for recovering this information, it requires little to no technical knowledge – anyone can go about it with software tools such as  Ontrack EasyRecovery.

What about a factory reset on a mobile device?

Although the process might seem different, carrying out a factory reset on a smartphone or other device with flash memory is identical to a conventional disk format – the contents of the chip stay right where they are, invisible to the operating system but recoverable nonetheless.

A study from Avast shows the scale of the problem. The company bought 20 second-hand, factory-reset smartphones from pawnshops across the world. Using off-the-shelf data recovery software, the company retrieved 2,000 personal photos, emails, text messages, invoices, and one adult video.

Disturbing studies like the one above show that as the use of mobile devices grows more prevalent in the world of business, companies must extend their secure data destruction practices beyond traditional hard drives and tape archives.

Will physically destroying my media erase the data?

You've probably seen films where characters are trying to destroy incriminating evidence. They frantically hit a hard drive with a hammer or smash up a desktop with an axe. It may look impressive, but destroying hardware gives no guarantee that the data will be unrecoverable.

It is still possible to recover data from a physically damaged media device. A recent video from Ontrack demonstrates this quite well. Think steamroller vs smartphones!

So, although it comes across as a last-ditch, fail-safe method, even taking a power drill to a hard drive won't necessarily render sensitive information irretrievable.

Secure erasure is a must for businesses and consumers alike

Ensuring you understand the reasons for secure deletion is a step in the right direction. The confusion about what constitutes correct data sanitisation methods continues. Meaning, many businesses and consumers are in danger of data breaches and cyber-attacks.

There are several solutions available to ensure the absolute destruction of any sensitive or personal data; these include world-class software's, degaussers, and shredders. For more information on ensuring the correct disposal of your data, view our website.