Hank Gerbus of Cincinnati made several requests of a leading electronics retailer to destroy personal information stored on the malfunctioning hard drive he was returning. Regrettably, the popular North American retailer failed to do this. Even worse, after assurances from the retailer that the hard drive would be destroyed, it was actually resold with all of the data still intact. The individual who eventually purchased the hard drive at a flea market in Chicago was responsible enough to contact Mr. Gerbus and return it to his attention. However, this occurred approximately one year after the drive had been returned to the retailer. It is unclear where this drive was or who else may have had access to it during that period. In addition to Mr. Gerbus’ understandable concerns, this widely publicized security blunder generated negative exposure for the national retailer on popular websites like MSNBC and Yahoo!®. The retail chain is currently conducting an investigation.
According to dataXile president Joseph Bozic, Mr. Gerbus’ concerns are legitimate. “There are people looking to harvest information from discarded items such as hard drives. Mr. Gerbus indicated that this particular drive contained all sorts of personally identifiable information. This hard drive was a potential treasure trove for any individual looking to commit a crime such as identity theft. The fact that the whereabouts of this drive over the last year have not yet been accounted for is cause for concern.”
Mr. Bozic, whose company provides secure data destruction for IT equipment, is not entirely surprised this incident occurred. “Actually, I’m surprised this type of incident doesn’t happen more often. Many organizations look at old information technology equipment as a potential source of revenue. Unfortunately, numerous organizations fail to recognize the inherent risks with such policies. As the data stored on such devices can be more valuable than the device itself, salvaging residual value by selling old IT assets is risky. Any firm that engages in this practice should always ensure that any stored information is properly destroyed before the assets are redistributed elsewhere.”
As the North American retail chain discovered, failing to properly destroy discarded information could create a public relations nightmare. Mr. Bozic commented, “Many firms look at information destruction as a tedious irritant not worth the expense. As this incident proves, the expense is negligible compared to the potential consequences of failing to address the issue. I suspect any company that has suffered such consequences would strongly endorse a thorough information destruction policy going forward.”
The National Association of Information Destruction (NAID) recommends that information destruction be outsourced to a professional firm. Mr. Bozic, who was elected to the executive committee for the Canadian chapter of NAID, shares this view. “Outsourcing allows firms and their staff to concentrate on their core competencies. Furthermore, as NAID is committed to upholding the highest professional and ethical standards regarding information disposal, clients can be assured that information destruction companies who belong to NAID are serious about safeguarding their data. I firmly believe that by taking appropriate measures, companies can avoid incidents such as the one Mr. Gerbus experienced.”
About dataXile Corporation
Toronto-based dataXile Corporation (dataXile.com) is an information security company specializing in secure electronic data destruction. The company understands the risks and challenges associated with secure data disposal and is committed to eliminating them.