Hidden hacking danger in e-waste sold second-hand by major companies
Australians are being warned of a ‘catastrophic’ risk to national security and their personal data as companies fail to dispose of their old equipment properly.
Published on News.com.au by Eli Green.
Personal information such as medical and credit card details as well as the keys to state infrastructure have all been found on unscrubbed IT equipment sold on by some of Australia’s biggest companies and government agencies.
It’s been described as the missing “vital piece in the puzzle”, but e-waste could be posing a hidden danger to Australians’ privacy and the nation’s security, with personal details and company information regularly found on second-hand devices after they’re sold on.
The things found on second hand devices are “worse than you can imagine”, according to Kurt Gruber, the founding director of cyber sanitation company WV Technologies, which also purchases and resells second-hand equipment from online sellers and auction houses.
“Even government agencies at the highest levels, multiple of those, are getting rid of completely unwiped equipment,” he said.
“With critical infrastructure, we’ve found the network keys for the critical infrastructure of a state at an auction house which we destroyed.
“And then in terms of personal details in them, the full medical records of government and corporate employees and customers, right down to the common mum and dad.”
That data included images of intimate surgeries where patients were under anaesthesia.
WV Technologies has also found entire Excel spreadsheets with the names, addresses, mobile phone numbers and credit card details of the customers of major retailers, as well as alarm codes for dozens of stores from one company.
“It’s off-the-planet kinds of things, and it’s not like it happens once. We’re just so used to it now,” he said.
Research undertaken by consulting agency PwC, alongside WV Technologies, found there is a significant risk of data breaches that comes from the incorrect disposal of e-waste while undertaking an experiment on second-hand equipment.
PwC purchased a mobile phone and tablet for less than $50 from a second-hand retailer in the ACT in an effort to see what they could recover.
Report author Rob Di Pietro described the results as “shocking”.
They were able to retrieve 65 pieces of personally identifying information (PII) from the phone, while the tablet – which still had corporate stickers on it – contained a note with credentials for access to a database that allowed them to access 20 million sensitive PII records.
“It’s a far bigger problem than we realise today, than anyone has really paid attention to it in recent times,” Mr Di Pietro told NCA NewsWire.
“We were shocked that individuals would leave the data on these devices in plain sight.”
Australian organisations and individuals dispose of thousands of tonnes of e-waste each year, a figure that is growing rapidly with the global volume of e-waste to exceed 70 million tonnes per year by 2030.
The PwC report found that of the 650 kilotonnes of e-waste produced annually in Australia and New Zealand, only about 10 per cent is formally collected rather than thrown in the bin.
WV Technology estimates that one in every 250 hard drives that fall into their hands is not wiped correctly, something that Mr Gruber believes is contributing to cybercrime.
“It’s often weird how you get random ransomware attacks or even just phishing emails and they happen to know a bit about you,” he said.
“There’s no way to draw the connection between improper disposals and where people are getting your information but it would have to be a contributor.”
Mr Di Pietro agrees, saying it was “quite possible” that cyber attacks were carried out from data found on second-hand devices as criminals follow the path of “least resistance” to carry out their operations.
“Rather than go to the trouble of trying to hack into systems to steal identities, if they can do it from spending $20-30 online, they will,” he said.
“It worries me to think what are other motivated cyber criminal groups doing, potentially going after second-hand devices that may be laying around or sold on eBay or Gumtree.”
Mr Gruber also said it was important to consider that foreign powers such as China are importing used hard drives from Australia.
“They can make hard drives for cents, it’s interesting the amount of used drives that are purchased by foreign states.”
Mr Gruber said not enough attention was being given to disposing of IT equipment safely, partly due to company costs.
“It doesn’t make sense to invest so heavily upfront [for cyber protection] and then basically have people go through the bins or online sites and find the things you were trying to protect in the first place,” he said.
“It’s frustrating to know that you have these processes where you’ve got to give away your information, and there’s a big company that makes a fortune but doesn’t want to pay $20 at the end to dispose of the hard drive.”
The federal government is currently overhauling the nation’s cyber security laws and the privacy act in response to the high-profile cyber attacks on Optus and Medibank where the personal data of millions of Australians was breached.
Mr Di Pietro says there is now an “opportunity” for the federal government to include more explicit and clear obligations for e-waste on companies as a part of cyber regulation, saying “more needs to be done” to keep Australians safe.
“We’ve been far more focused on [e-safety] in the online sense, and that’s where the breaches last year were very focused on, but we need to see the priority shift to equally treat our digital footprint in the offline sense,” he said.
“And that is on devices that are no longer needed, and that’s where we think [the legislation] has been neglected.”
Mr Gruber urged companies that are getting rid of old equipment to avoid doing it in-house, but instead look for data destruction companies with the NAID AAA certification, meaning it is government endorsed for data destruction up to top secret levels.
“They’re probably well-intentioned, but it’s not your core business,” he said.
“They often don’t understand how complex properly decommissioning a piece of equipment is.”
The issue goes beyond the disposal of hard drives, with more complex IT devices that connect company networks often containing the most data.
“With hard drives, everyone’s hair stands up because you can physically see the threat, but a large portion of the most sophisticated stuff just hasn’t been touched,” he said.
“They don’t understand that there’s data on a lot of the chips these days, it’s not just the hard drive.”