Sensitive data on eBay computers
Updated on 07 May 2009
Computers sold on eBay and at computer fairs still contain sensitive corporate data from companies such as Laura Ashley, Ford and Nokia, a study by the University of Glamorgan shows.
Computers sold on eBay and at computer fairs still contain sensitive corporate data from companies such as Laura Ashley, Ford and Nokia, a study by the University of Glamorgan shows.
The study, funded by BT and Sims Lifecycle Services, found that a number of hard drives contained a substantial mixture of corporate and personal data.
Below is a summary of some of the data found from a selected number of companies, together with those companies' responses to the disclosure.
Laura Ashley
The study appeared to include a small number of disks which contained data belonging to Laura Ashley. These disks contained a range of corporate data including information marked private and confidential. The disks also contained some network configuration information. The information included:
- Stock control and Discount codes
- Internal email and email addresses
- Information relating to trading performance budget etc
- On one disk there was a number of private images
- Customer web orders, including customer names and addresses
In a statement to Channel4 News, Laura Ashley said: "We are surprised to see the results due to our rigorous and clear equipment disposal policy that we have in place and practice to avoid such occurrences. All our equipment is disposed of in accordance with our disposal policy guidelines and we have a strict process in place that results in total destruction of redundant equipment. There is no re-selling of components.
"We do everything we can to ensure all confidential company information is destroyed, and investigations into how this information became available is currently our priority. We are pleased that this issue has been highlighted to us as this will enable us through our reviews to add or introduce further tighter measures and control if required."
Lanarkshire NHS
Two disks appeared to have originated from within the Lanarkshire NHS trust, one contains a number of references to Hairmyres Hospital and Monklands Hospital. One disk appears to contain patient data relating to radiology and xrays. The information included:
- Medical staff shifts
- A sensitive and confidential staff letter
- Information from a medical system appearing to refer to patients
- Thumbnails of x-rays
- A confidential letter from one member of staff
In a statement, to Channel4 News, NHS Lanarkshire said: "This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.
"In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable.
"NHS Lanarkshire places a high priority on information governance and in 2008 we undertook an extensive review of all our information governance policies to ensure that patients can be confident that we can be trusted to collect, store and distribute their data securely.
"As a result of this review we no longer use external companies for the disposal and destruction of redundant IT equipment. NHS Lanarkshire now ensures that all equipment containing data is destroyed on our premises under witness conditions.
"We have also undertaken significant work to further enhance the protection and management person identifiable information. This includes banning the use of unencrypted memory sticks, and encrypting all NHS laptops.
"We are also currently transferring all data from individual desktop PCs into a shared network so that PCs and laptops no longer contain any person identifiable information."
Ford Motor Company
This disk contains corporate data which appears to originate from Ford Motor Company. The disk contains references to design and engineering data. Information included:
- Data appears to relate to the Fixture Design and Evaluation System
- Contact information for software training
- Some system support network configuration information
- Corporate Data Protection warnings dated from 1996 to 2001 - "Confidential Ford Motor Company"
- Some files with author names
In a statement Ford told Channel4 News: "Ford had been made aware that a hard disk containing Ford technical data had been located as part of a research project being undertaken by BT with Glamorgan University. The information available so far indicated that it was from an older machine, suggesting that it would not have the hard disk encryption applied currently to Ford PCs and laptops.
"Ford is investigating this issue with BT and the University to identify the computer from which the hard disk originated so that we can determine its history. The data from the hard disk is also being passed on to Ford so that it can be analysed.
"While this investigation is underway the return of Ford PCs and laptops to suppliers has been suspended and a review is taking place of all the processes involved in removing data from computers and returning equipment."
Swindon Council
The disks appear to contain data from Swindon Borough Council mostly related to planning applications. The information included:
- Some financial information
- Internal emails
- Numerous planning application details for the local area
This disk also included some network information and firewall configuration information.
In a statement to Channel 4 News, Swindon Council said: "No computers disposed of by Swindon Borough Council have any information on their hard drives - they are all professionally wiped clean and the data they contained is effectively irrecoverable except in some circumstances to forensic experts.
"Since late 2007, all council laptop computers have been encrypted, which makes the information on them extremely difficult to recover by an unauthorised user, and again when these are disposed of they are wiped clean.
"For the information on this particular disk to have survived suggests that its on an older computer which has not been used on the councils network for some time. We want to investigate how this information has escaped and we will contact the university to obtain more information to identify how this might have happened."
Nokia
The disks appear to contain data relating to Nokia including some material marked as company confidential. The information included:
- Images of what appear to be cell phone circuitry
- Minutes of meetings
- Personnel names
- Personnel evaluations forms
In a statement Nokia told Channel4 News: "Nokia has strict procedures in place for disposing sensitive company data and information. Due to confidentiality reasons, we do not disclose information on these processes."
