The cost of ‘free’ IT disposal

Search for IT recycling online and you’ll find numerous ‘free’ services. The catch: a potentially serious risk to your data security. Such ‘free’ offers inevitably involve cutting corners with an organisation’s data and environmental responsibilities. Who can afford that risk?

Dangerous data: The horror stories

Data hacking tends to dominate headlines. As recently as March, we learned that details of thousands of NHS staff had been stolen from a private contractor’s computer server. However, it’s worth noting that there are far more common causes of data breaches, which are consistently overlooked. The professional IT asset disposal (ITAD) sector describes the rise in free recycling providers as a spectre. That’s apt when you consider the horror stories resulting from the failure to destroy records on redundant IT equipment.

An NHS Trust experienced the perils of free data disposal first-hand. The high-profile case in mid 2013 resulted in a £200,000 fine by the Information Commissioner’s Office (ICO). The Trust replaced an approved data destruction provider with another firm, offering free computer disposal in return for selling salvageable equipment. The well-intentioned move proved misguided when a member of the public alerted the Trust to the data loss, having bought a second-hand computer online. Investigations found the health records of 2,000 children and 900 adults on that machine alone, along with NHS staff details. Sensitive data was subsequently discovered on three other hard drives. The supplier had promised to crush the hard disks, but there was no contract in place setting out the details and no form of process monitoring or documentation.

Although described by the data watchdog as one of the most serious breaches it had seen, the scenario is alarmingly familiar.

Every organisation is at risk

Besides medical records, bank account details, confidential business plans, financial company data and personal ID numbers were all recovered in a study of 300 second-hand hard drives, conducted by BT's Security Research Centre and three universities. For the study, drives were purchased from America, Australia, France, Germany and the UK. The conclusion? 34% of the assets scrutinised contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organisation.’ The same researchers also found the launch procedures for a US military air missile defence system on a hard drive resold on eBay.

Five years on from that study, research in 2016 by leading data erasure specialist Blancco Technology Group shows little has changed. The company purchased 200 used hard disk and solid state drives from Craigslist and eBay to investigate its concerns of a common, dangerous data security issue. Being an accredited Blancco Technology Silver Partner, FGD were particularly interested in the findings. These included some staggering statistics.

  • 67% of the drives held personally identifiable information; 11% held sensitive corporate data.
  • 36% of the drives with residual data had information improperly deleted from them by simply dragging files to the recycle bin or using the basic delete button.
  • Only 10% of the drives had a secure data erasure method performed on them.

Clearly, data isn’t being wiped properly before reselling IT equipment.

Too good to be true

Free IT recycling may seem on the surface like a fair exchange: a service provided for resalable equipment. But consider what’s required to deliver secure, compliant IT asset disposal.

Doing the job thoroughly is resource hungry. It demands running GPS-tracked vehicles, employing CRB-checked drivers and technicians and operating from a secure, licenced process centre, with CCTV coverage. It requires having the appropriate insurance policies and accreditations in place; FGD recommends insisting on ISO 9001, ISO 14001 and ADISA certification. It calls for using some remarkably impressive machinery to crush and shred IT assets, alongside data erasure software that’s good enough for national government (CESG approved). The closest level of attention is needed throughout, from the way hazardous waste is handled to removing security tags and identifying marks and issuing comprehensive reports that meet environmental legislation and data protection and privacy laws. There are no corners to be cut. Drilling a hole in a hard drive and selling the material for scrap isn’t a solution. Neither is using free software; often by the manufacturer’s own admission, this isn’t guaranteed to erase all data.

If an organisation takes risks with its data and environmental responsibilities what is really being procured? It is merely a broker transaction, not an IT asset disposal service. Of course, there are many occasions when the client does not have to see a charge, but this is because the redundant equipment is of sufficient value to cover the disposal costs. First, this must be properly assessed.

The true cost of ‘free’ IT recycling? Ask the ICO for an estimate. Or better, see the authority’s advice on selecting a professional service provider.

FGD securely processes over 100,000 IT assets a year.

Event Diary

ehi LIVE is the UK's number one show for all those involved in digital health, hospital information, cyber security and healthcare innovation.