Given that there are absolutely no known’s in “unknown unknown”, speculating that anything represents the majority of those cases is, well, wild speculation. Honestly, its as likely to be use of graphic card memory for tools or violation of VM boundaries. It could be anything.

Also, from a risk calculation perspective, the simple cost of purchasing drives, let alone drives from Nigeria, would make this an unlikely option for criminals. It’s far easier to compromise a system electronically via no-cost bots across no-cost network links than to purchase anything from anywhere.

Regardless whether you agree that IT disposal represents the “biggest hidden risk,” it does represent a risk that should be considered. Local disposal (or loss via 3rd parties) of unencrypted data tapes has been widely reported on, regardless whether that lost data was ever used in a crime. The reputation losses that can incur as a result should make businesses aware there is real risk involved.

That all said, it has been repeatedly demonstrated that a concerted effort can reassemble data from even the most damaged drives (the Space Shuttle drive data reconstruction being but one example), so if data is going to be left unencrypted on any physical device the furnace becomes your only safe bet.

Applying data sensitivity identification can mitigate some risk. If your data is valuable for, at most, 6 months then simply keep the old drives that long before disposing of them. If the data has value for a longer period, adjust accordingly. If the storage time becomes too long, or the risk of using 3rd parties for such storage, then encryption becomes a cheaper option (despite it costing more than not using it, providing its cheaper than storing the data.) If, however, your data is sensitive for a period that makes brute force decryption viable, then we’re back to the furnace.

Personally, I would be more concerned about the entity who accepts the drives directly from me, than from whomever they ship those drives to. That first party has knowledge of who I am and which drives are mine, and therefore are in the position to pick and choose drives that might be valuable. Whoever is receiving these drives in, for example, Nigeria has far less knowledge and ends up having to go through a far greater volume of noise to get to a signal. That alone reduces the likelihood, and therefore the risk.

We have long recommended that sensitive data should be encrypted at rest. If it is, then it is likely to be encrypted in transit (e.g. via Internet backup or physical tape transfers.) This mitigates many issues brought up in the media, and should satisfy most regulatory requirements. Keeping data encrypted in memory (or while in use by an application) can be desirable and may reduce some specific risks, but has far less overall risk reducing benefits than encrypting at rest.

None of this is meant to suggest that the outsourcing of IT disposal shouldn’t involve investigating how that entity handles the data/devices, or, that there aren’t differences between providers of such services. All outsourcing should involve investigation of all pertinent details.

Thanks for pointing this out, Kyle.

Cheers,
Russ

Sadly, 80% of unwanted US computer equipment is exported to developing countries by these so-called recyclers - often with confidential data still on hard drives.

As the Verizon study states “criminals prefer to exploit weaknesses rather than strengths.” What could be easier than buying old hard drives from an e-scrap dealer in Nigeria?

Outsourcing IT disposal makes sense. But if an organization fails to maintain proper oversight, outsourcing actually increases the risks, provides a false sense of security, and is likely the majority of the 90% of breaches that involve some type of “unknown unknown.”

Kyle Marks
President & CEO
Retire-IT, LLC
kmarks@retire-it.com

…