Here’s a great example of why you can never really entrust your information to anyone but yourself.
The Register’s John Leyden reports that Pointsec Mobile Technologies, a data security company, has obtained via eBay a hard disk apparently owned by ”one of Europe’s largest financial services groups”. On the hard disk were, in the words of Pointsec, “pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. There were 77 Microsoft Excel documents of customers email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information, which if exposed publicly could cause irrevocable damage to the company.” The disk cost Pointsec £5 (about $8).
The purchase wasn’t just a one-off, either. Pointsec says they bought 100 hard drives as part of research into this kind of problem, and found they were able to read 70% of them, despite the fact that all had supposedly been reformatted to wipe off data. They also visited airports in Sweden, the U.S. and Germany where laptops lost in transit were being auctioned off. In one case, using password recovery software, Pointsec was able to access information on the laptops even before purchasing the laptops. In Sweden the company bought a laptop on which they found ”four Microsoft Access databases containing company- and customer-related information and 15 Microsoft PowerPoint presentations containing highly sensitive company information.”
Ouch. I can’t find anything on Pointsec’s website about this but John’s report gives us enough to show this kind of problem is not an obscure one. Not only does it raise serious questions about company (and government) data security, but it also highlights how stupid we are to give any of our information to a company unless it’s absolutely necessary. This would, sadly, include folks like Plaxo, who may be sincere when they say they’re doing their utmost to protect our data. But what happens when they replace one of their hard drives?
Personally I think Pointsec should name the companies whose data they have retrieved: The Register says they won’t, and they’ll destroy the hard drives. This kind of research may prove to be good for Pointsec’s business, since they can take the data to the companies in question and offer to fix the problem, but what about all the thousands of other companies that don’t think it’s their kind of problem? Unless they are named and shamed I don’t think there’s enough incentive for companies to double check their data security and privacy policies.