Hard drives tell all

According to Gartner Inc., about 150,000 hard drives were retired in 2002. Many ended up in the trash can, but some, no doubt, found their way back onto the market. Hard drives that contain personal information raise privacy and identity theft concerns because they can reveal a lot about their users.

On common operating systems such as Microsoft's Windows, simply deleting a file, or even emptying the trash folder, does not necessarily make the information irretrievable. Those commands generally delete a file's name from the directory, but the information itself will survive until it is overwritten by new files. Even reformatting a drive may not delete sensitive data.

That means all personal information stored on the hard drive may be up for grabs if the user gets rid of or resells that computer, Massachusetts Institute of Technology (MIT) graduate students Simson Garfinkel and Abhi Shelat recently released a study illustrating the problem. They bought 158 used hard drives at secondhand computer stores and on Ebay. Of the 129 drives that functioned, 69 still contained recoverable files and 49 contained significant personal information, including medical records and 5,000 credit card numbers. One even revealed a year's worth of transactions and account numbers from a cash machine in Illinois.

Most of the hard drives acquired by the students came from businesses that apparently had misplaced confidence in their ability to "sanitize" old drives - something that happens too often.

Last spring, Pennsylvania sold computers that contained information about state employees. In 1997, a Nevada woman bought a used computer and discovered that it contained the prescription records of 2,000 customers of an Arizona pharmacy.

In Regina, Saskatchewan, police recovered a missing hard drive that contained sensitive personal information on more than 1 million people. The disk drive, reported missing by ISM Canada, an information management and outsourcing company, contained up to 750,000 files on clients of Investors Group, Canada's largest mutual fund company. It included names, addresses, account numbers, portfolio holdings, and beneficiaries. The missing drive also reportedly contained files on 180,000 clients of the Cooperators Insurance Co., 10,000 customers of SaskPower, 60,000 Saskatchewan government employees, and 56,000 Saskatchewan farmers. A class-action lawsuit has been filed against the companies and agencies that stored information on the missing hard drive.

According to experts, the only sure way to erase a hard drive is to "squeeze" it: writing over the old information with new data - all zeros, for example - at least once, but preferably several times. A one-line command will do that for Unix users, and for others, inexpensive software works well.

Copyright Association of Records Managers and Administrators Inc. May/Jun 2003
Provided by ProQuest Information and Learning Company. All rights Reserved