Old hard drives held top secret data

Thursday, May 07, 2009

Researchers have discovered data on the US missile shield system, NHS health records and multi-billion pound money transfers on old PCs.

The data was discovered on 300 hard drives bought randomly at computer fairs and an online auction site. Researchers from BT and the University of Glamorgan bought disks from the UK, America, Germany, France and Australia.

Once analysed, the researchers found a large amount of data that could be used for fraud or identity theft.

The hard drives included details on the test launch procedure of a US missile defence system, which would be considered highly sensitive data. The drive also contained data on the US defence group Lockheed Martin, who built the missile defence system. The data included security policies and blueprints of facilities at the group, and personal information on employees. They also found details of a proposed $50bn currency exchange through Spain.

In addition, a disk from France included security logs from an embassy in Paris, while two disks from the UK appear to have originated from a Scottish NHS hospital trust. The disks had information from the Monklands and Hairmyres hospitals, part of Lanarkshire NHS Trust, and revealed patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.

Professor Andrew Blyth, an expert in computer forensics and principal lecturer at the University of Glamorgan's faculty of advanced technology, said the study showed once again that almost half of all hard drives contain sensitive data.

"While it's not getting worse, its not getting any better either. It's not rocket science. I could probably take somebody who is 14 or 15 years old and in a day have them doing this," he said.

Dr Andy Jones, head of information security research at BT, said: "It is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.

"Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly."

In a statement, Lanarkshire NHS Trust said: "This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.

"In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable."

A Lockheed Martin spokesman said they had not been aware of any "compromise of data" related to the missile defence programme.