Poor PC disposal leaves business open to computer crimes

Published on 19 Feb 2007

Companies are failing to dispose of their old computer equipment securely leaving potentially sensitive data vulnerable, a new survey has found. Data security firm Pointsec has warned that businesses could be allowing sensitive information to fall into the hands of criminals, by selling their old IT in the second-hand market or to staff.

Its survey showed that less than half of large companies used professional disposal experts to destroy their old computers. Only 17% destroyed their redundant equipment in-house - the safest approach according to Pointsec.

The remainder chose to sell their computers to second hand dealers or staff, which often meant that the next recipient could gain access to all of the old data.

In 2005 a study by the University of Glamorgan examined 92 second-hand computers acquired from a variety of sources, including eBay and computer fairs, and set to find out how much data could be recovered from the hard drives. The researchers had no prior knowledge of where the disks had been purchased or what was on each disk.

Of the computers they studied the researchers found that 57% of the hard drives contained information from which organisations could be identified; 53% contained identifiable usernames; 51% contained personal information including complete databases of customer information, and employee information including their names, addresses, contact details and their national insurance numbers; and 20% contained financial information relating to the organisations, including sales receipts and profit and loss reports. Martin Allen, Managing Director of Pointsec, said:

"We have all heard about PCs thrown away in council tips that have ended up in West Africa with local extortionists and opportunists selling the contents such as bank account details for less than £20.

"Many corporations also fall victim to this sort of scam by selling their old PCs to second hand dealers who often do not have the skills or resources to reformat and clean them adequately.

"We recommend thoroughly reformatting the hard drive or encrypting the data on all mobile devices as this ensures that no-one can get at the data unless they know the computer's password both during the PC's lifetime and beyond."

Making sure that all sensitive data has been wiped from old computers is even more important in light of the Waste Electrical and Electonic Equipment (WEEE) Regulations, which were enacted into UK law on 2 January.

As a business user of IT equipment from 1 July, when full producer responsibility starts, you will be legally responsible for the collection, treatment and recovery of all PCs purchased before the implementation date, unless you are buying new PCs to replace old ones on a like-for-like basis.

If you are replacing old PCs with new equipment, manufacturers and resellers are required by the new law to take responsibility for the costs of collection, treatment and recovery of any equipment being replaced on a like-for-like basis.

Where you are responsible for the collection, treatment and recovery of redundant PCs and other IT equipment you will also be responsible for reporting evidence to show that they have been disposed of in accordance with the new law. Disposal of these machines should be able to be done through Designated Collection Facilities, probably at council run tips, where they will then be recycled. Alternatively businesses could choose to reuse machines by giving them to employees, local schools etc. or donating them to charities such as Computer Aid International, which sends the computers for use in developing countries.

One of the benefits of using a charity such as Computer Aid is that the organisation will provide you with a certificate to say you are in full compliance with the legislation; it will also wipe the computers hard drive for you so there is no risk of sensitive data falling into the wrong hands.