Poor data destruction leaves Australia exposed

Are nation-state foes buying ex-govt PCs for the data?

Published by ACS by David Braue on May 31 2021

https://ia.acs.org.au/article/2021/poor-data-destruction-leaves-australia-exposed.html

Sales of WV Technologies’ refurbished computers and network equipment have dried up “completely” since the company stepped up its data-destruction capabilities, according to company executives who suspect it’s because they are doing their job too well.

Until recently, WV – which buys large volumes of obsolete equipment, then cleanses them of data before refurbishing or recycling them – was shipping “at least a container of equipment every month” to overseas buyers, founding director Kurt Gruber told Information Age.

Demand from many long-term buyers, however, dried up soon after the company boosted its data-destruction capabilities to a level where it recently became the only Australian company to offer every category of the National Association for Information Destruction (NAID) AAA certification guidelines required to destroy hard drives, SSD drives, and other equipment containing data up to ‘Top Secret’ classification.

The business had been steady for years, Gruber said, admitting he had been “bewildered” why buyers were happy to pay high prices for obsolete computer equipment that had no contemporary value.

“Why would anyone pay $25 for a Core Duo desktop when it doesn’t make any sense?” he explained. “This led us to believe that they’re buying the containers because of the data that’s in them – rather than the hardware itself.”

It’s just a theory, he says, but the timing of the sales slump leads the company to suspect that “they completely stopped buying because you won’t find data on our equipment”.

“It’s a bit of a funny thing,” he adds, “because it makes it harder for us to win the work because another vendor who doesn’t do it properly will tell clients they can get $25 each for their old desktops.”

Government policies require agencies to destroy hard drives and other data-carrying media before they send their obsolete gear to recyclers like WV Technologies, but it doesn’t always happen that way.

Disposal tasks are often delegated to overworked IT staff, who are already tied up with myriad other duties and can easily overlook the many places in a computer where important data is stored – including one or more hard drives; SSD drives; SD cards left inserted in slots; CD-ROM disks; tape backups; and other devices.

Agencies “think they’re doing the right thing,” Gruber said, “but they’re trusting a human to follow a process.”

If those storage media make their way into the wrong hands, they can not only compromise sensitive government information – but can expose operational data, such as network router maps and voice-over-IP configuration details, that could be exploited to facilitate a larger cybersecurity attack.

One shipment of 200 old IP phones, he said, still had configuration information that meant “I could call you from the IP phone and it would come up with [the original user’s] name”.

Top-secret destruction

Government agencies regularly auction off their old equipment as part of their equipment lifecycle management processes, with firms like Grays Online and AllBids and Pickles Auctions offering thousands of old laptops, tablets, and other devices every week.

WV regularly buys old equipment in auction lots, employing around 30 people – including a steady supply of Indigenous trainees that helped its parent Worldview Foundation become a finalist in the recent Supply Nation Supplier Diversity Awards.

Of these lots, Gruber says, “about 1 in 250 has data on it – which is insane, because they’re sending containers of this stuff offshore.”

With so much data leaking out of government agencies, properly finding and destroying data-bearing equipment is table stakes for WV Technologies, which advertises itself as “[delivering] certainty with purpose”.

For federal government agencies tasked with meeting the data-destruction requirements of the Protective Security Policy Framework (PSPF), comprehensive data destruction is a critical part of information security – but a glance at the strict requirements makes it clear why so few companies are allowed to handle information classified as SECRET and TOP SECRET.

The PSPF and companion Information Security Manual spell out extensive requirements for the protection of sensitive classified information, including the need to physically shred paper documents and IT media into pieces no larger than 3mm – compared with 9mm for ‘Protected’ level information.

WV’s disintegrator cuts media into 2.38mm pieces – but with so much data being missed despite best efforts, he warns, the mass exporting of old Australian government equipment could easily facilitate the next major nation-state attack on Australian government agencies or companies.

“There’s a big focus on the front end of cybersecurity and stopping people getting into existing networks,” director Jamie Miller explains, “but the amount of data we intercept from government departments, defence contractors, law firms and a range of people [is amazing].”

“It’s very easy for someone from adversarial state actors to purchase from Australia – and if there’s not a process on the disposal side, the amount of information they could get is a lot.”

DAVID BRAUE

David Braue is an award-winning technology journalist who has covered Australia’s technology industry since 1995. A lifelong technophile, he has written and edited content for a broad range of audiences across myriad topics, with a particular focus on the intersection of technological innovation and business transformation.

Share
Leave comment