It’s 11 O’Clock. Do You Know Where Your Sensitive Data Is?

In an era where the perils of information theft are well known and paper shredding has become a part of daily life for millions, it’s ironic that government agencies have yet to close a major loophole in their information security practices. Consider the following:

* As part of an ongoing investigation, the St. Louis Post-Dispatch periodically buys discarded U.S. government computers from recyclers in Nigeria. In a December 2006 article, the paper reported it had found school records, personal messages, financial information and teachers’ Social Security numbers from public schools in California and Virginia on computers it had purchased.

* In April 2005, a man searching a garbage dump in the United Kingdom was handed a laptop containing 70 top secret files from the British military, including details of a British army camp and navy base, by a woman at the dump.

* A 2006 article in the Los Angeles Times revealed that the U.S. military paid thousands of dollars to recover computer hard drives being sold in an Afghan market. A journalist for the Times reported he saw information on one of the drives that showed maps, charts and intelligence reports on Taliban and Al Qaeda military activities.

What many government IT professionals realize—but most agencies have yet to embrace—is that the act of deleting data from computer hard drives is no guarantee that the information will not be resurrected at a later date by unscrupulous people. “Data is very resilient.

Even on hard drives damaged by natural disaster or equipment failure, it can be frequently retrieved by data recovery specialists,” said Bill Margeson, president and CEO of CBL Data Recovery Technologies Inc. “Given the number of computers that are leased by government organizations, along with those that are donated, sold for re-use or even scrapped, it’s critical that all information be irretrievably destroyed before the host hardware is out of the organization’s hands.”

Many people think that repeatedly deleting data, repartitioning, or reformatting the hard drive are sufficient means to render data inaccessible. In reality, until data is actually overwritten by new information or a signal, it can be recovered by programs that read disk sectors directly. Off-the-shelf programs are actually available over the Internet which automate the recovery process, making it possible for individuals to retrieve deleted data from the hard drive regardless of whether they own the computer.

The only infallible ways to destroy data or make it completely inaccessible, according to Margeson, are to degauss, to overwrite files, or to simply destroy the storage media itself. The United States Department of Defense has approved both overwriting and degaussing; however, the effectiveness of overwriting cannot be guaranteed without case-by-case examination, and degaussing can render a hard drive inoperable because it may damage the magnetic media.