Dutch regions' data exposed after hard drives sold at market

A Dutch man has purchased hard drives containing sensitive personal information from several Dutch regions at a flea market, raising concerns about data security practices.

The hard drives held personal identifiers from 2011 to 2019, such as Dutch citizen service numbers, birth dates, addresses, prescriptions, and other medical details from the Utrecht, Delft, and Houten regions. This incident has prompted discussions on the potential risks associated with the improper disposal of data-storage devices.

Jon Fielding, Managing Director for EMEA at Apricorn, commented on the data exposure situation, highlighting that it is not uncommon for portable storage media containing sensitive data to become exposed. "Sadly it's all too common for portable storage media containing sensitive data to become exposed. Many companies have a policy of selling on hardware devices, including hard drives, when letting remote workers go as this is seen as a cost-effective way to write off the equipment. But these companies won't always have policies in place for wiping those devices," Fielding stated.

Fielding also underscored the risks associated with such practices, especially in cases of employee redundancies. "If one of those redundancies results in a disgruntled employee you then have the interesting combination of having provided them with the data to go rogue," he added.

The Information Commissioner's Office (ICO) Data Security Incident Trends has recorded instances of improper hardware disposal leading to data exposure, notably within health and property services sectors. "Interestingly, the ICO Data Security Incident Trends reveals incorrect disposal of hardware resulting in data exposure was reported by organisations in the health and land or property services sectors three times last year," Fielding noted. He also mentioned Apricorn's annual Freedom of Information requests that had identified issues at the government level, specifically with HM Revenue and Customs losing USB sticks.

The analysis of data security practices by Apricorn also revealed inconsistencies in tracking and securing data storage devices at the governmental and council levels. "The FoI also revealed that some councils are not tracking peripherals and that memory sticks are considered departmental responsibility, so are not tracked by asset management. Others are choosing not to encrypt devices but instead rely on Multi-Factor Authentication but there really is no substitute for hardware-based encryption," Fielding stated. He advises that hardware encryption should be the standard to secure data if devices are lost or stolen, ensuring the information remains unintelligible.

Fielding suggests that appropriate measures should be taken when storage devices reach the end of their life. "Ideally, when a storage device reaches end of life it should be wiped and sanitised and there are guidelines available from NIST and the IEEE on how to do this," he said.

He further explained the guidelines provided by NIST and IEEE, stating, "NIST advocates that data should be removed in one of three ways – by clearing, purging or destroying the device – and it applies to HDDs, flash drives, mobile phones etc. IEEE 2883 dovetails with the ISO 27040:2024 storage security standard so is bang up to date and is applicable to the latest storage technologies such as NVMe drives."

This incident has highlighted the importance of robust data protection measures and the need for organisations to adhere to appropriate data disposal protocols to prevent potential data breaches.