Information Privacy When Retiring Old Computers
Dale L. Lunsford, Walter A. Robbins, and Pascal A. Bizarro
2002, the United States Veterans Administration Medical Center
in Indianapolis replaced approximately 140 desktop computers
with new models. Some of the old computers were donated to
educational institutions and the state of Indiana, while others
were sold on the open market. It was later discovered that
many of the old computers contained a wealth of sensitive
medical and financial information on their hard drives. The
new owners found information identifying VA patients with
AIDS and mental health problems, and government credit card
numbers that the Indianapolis facility had used. Three computers
wound up at a local Indianapolis thrift store, where they
were purchased by a TV reporter.
fiasco is not the only incident of confidential information
being inadvertently made available through the retiring
of old computers. Consider the following cases:
The Pennsylvania Department of Labor and Industry sold
old computers that contained “thousands of files
of information about state employees.”
consulting firm of Dovebid auctioned off old computers
that contained confidential client information.
A used computer sold in Purdue University’s surplus
equipment exchange facility still had a database containing
the names and demographic information of applicants to
the school’s Entomology Department.
In Pahrump, Nevada, someone purchased a used computer
system and discovered that the prescription records of
over 2,000 patients from a local pharmacy were still on
the hard disk. Included were the patients’ names,
addresses, Social Security numbers, diagnoses, and medications.
is important for organizations to understand that if sensitive
or confidential data are not properly removed from computers
prior to disposal, the organizations risk unauthorized information
disclosure that can lead to economic loss, a damaged reputation,
civil liability, and even criminal liability. Rapid advances
in technology have magnified this risk by requiring companies
to replace computer systems, both desktop and notebook computers,
more frequently. A recent study found that approximately
150 million hard-disk drives were retired in 2002, up from
130 million in 2001. Unfortunately, the techniques most
people use to remove information from computer equipment
before retirement are inadequate and fail to ensure information
generally look for information in five areas of a salvaged
computer: deleted files, recovery partitions, configuration
files, password storage, and special hardware devices.
files. When disposing of an old computer,
users will often delete all files containing confidential
information. Deleting files, however, does not actually
remove a file’s information from the hard disk; it
only rewrites the metadata pointing to the file’s
location. The disk blocks containing the file’s contents
remain intact and vulnerable to cyber-theft.
will often use file recovery software to undelete files
and then examine the contents for confidential information.
Even if the computer user has reformatted the disk or removed
the drive partitions, the cyber-criminal can use simple,
inexpensive unformatting and partition recovery software
to recover data considered destroyed.
addition to user-maintained files, confidential data may
also exist in cached files and application-generated backup
files. These are files that are often overlooked when retiring
old computers. File caches are located in operating system
directories or hidden locations to prevent accidental deletion.
Many computer users are not aware that application programs
often store backup files in the same directories where the
applications are located. Most cyber-criminals, however,
know exactly where to look.
partitions. In personal computers, the operating
system organizes a hard disk into logical units called partitions.
Some data recovery tools, such as IBM Rapid Restore, use
hidden partitions to store backup copies of personal files
to protect them from unexpected data loss. Because these
recovery partitions are generally hidden, users may forget
to delete the backup copies of files contained in them,
leaving them available to future users.
files. All software includes a number of configuration
options that determine how the software works, which features
are available, and other information intended to simplify
the user’s life. Microsoft
Windows 95 consolidated all operating system configuration
information in a central database called the registry; application
configuration information is stored in initialization files.
Ideally, by putting this configuration information in one
database, configuration settings common to all applications
need be stored only once, installation of applications is
simplified, and the system is more stable.
the registry and initialization files provide substantial
details about the configuration of the hardware, the operating
system, and applications, as well as the location of application
files and network resources. Consequently, these files serve
as a rich source of useful information. More important,
information in the registry and initialization files can
provide information about the security measures employed
by the company and about the organization of files on servers.
Many users find it difficult to remember all
of the login information (e.g., usernames, passwords) needed
to access e-mail, applications, databases, and websites.
To relieve users of this burden, many programs allow users
to store login information so that they won’t have
to remember it. Often the operating system or applications
store identifiers and password data in the operating system’s
registry or application-specific configuration files. Popular
web browsers offer to remember passwords to websites, which
can include the password to the company’s intranet.
Many applications encrypt passwords, but developers often
do not use strong encryption techniques to protect passwords.
If the encryption technique used is weak, or the user selects
a poor password, cyber-criminals can use password recovery
software to access sensitive information.
hardware devices. Hardware installed in a
computer can provide a cyber-criminal with important information
about the network architecture and security measures used
by a company. For example, a wireless network card or authentication
hardware might alert a cyber-criminal to special security
measures or encryption keys.
can be taken to prevent future users of retired or discarded
computer systems from accessing a company’s sensitive
or confidential information, as well as information about
its network architecture and security measures. Individual
users can use this process when moving to a new computer.
An information technology department can implement the process
as a standard procedure each time the department retires
a computer from service. The process consists of four steps:
archiving of data; file transfer; sanitization; and hardware
removal. (See the Exhibit.)
data files. The first step is to make a backup
copy of all data files contained on the computer. This task
can be difficult because of how applications store data.
By default, most Microsoft applications store files in a
directory called “My Documents.” Other applications
use this directory, create their own directories, or save
files to the location where the application is installed.
Because files are located in different areas on the hard
drive, tracking them can be a challenge. Backing up files
can provide an occasion to reorganize data storage in a
more efficient way. When backing up files, use a disk-imaging
program to make a copy of all files to a high-capacity removable
disc (e.g., a CD or DVD). Applications for performing this
task include Norton Ghost, Paragon Drive Backup, Novastor
InstantRecovery, and Acronis True Image, as well as other
commercial, shareware, and freeware products.
transfer. After backing up the files, the
next step is copying them to the new computer. There are
packages that provide all of the software and hardware necessary
to transfer all computer settings and data, along with personal
files and folders. Once the copy process is finished, all
files, including operating system files, must be deleted
from the old computer. Deleting is only the first step,
however; the computer drive must now be sanitized.
Sanitization is the process of wiping clean all data stored
on a computer hard drive. There are three methods for sanitizing
a computer: disk shredding, disk degaussing, and disk wiping.
shredding. Disk shredding is the process of physically
shredding a disk to render it unusable. This method is the
most secure way of destroying data on a disk, but it requires
a technician with special equipment to carry it out.
degaussing. Disk degaussing is the process of exposing
the disk to strong magnetic fields to destroy its contents.
This method eliminates any data still on the disk. A technician
must disassemble the disk before degaussing it, using special
equipment that can damage or destroy other components if
improperly used or stored. The disk must also be reformatted
by a manufacturer before reuse.
wiping. The final method, disk wiping, sanitizes the
hard disk by removing its current data and replacing it
with random characters. Using this method requires special
but inexpensive software. The method is appropriate for
most kinds of data, though perhaps not top-secret information.
It can be performed by most users or in-house IT personnel.
shown in the Exhibit, disk wiping consists of two major
steps: booting the computer from a diskette, and wiping
the disk clean. Before starting the disk sanitation process,
all necessary files must be successfully copied either to
a new computer or to a permanent archive.
Windows and other operating systems generally do not permit
the deletion of critical operating system files. Deleting
these files requires booting the computer from a diskette.
In some cases, the disk-wiping software includes a utility
to create a bootable diskette with all of the necessary
software; if not, Windows can format a diskette as a start-up
disk. The instructions included with the wipe-disk product
selected should identify any files that must be copied to
a start-up diskette. (This disk should be clearly labeled
so that it is not accidentally misused on an active computer.)
the computer has been booted from the diskette (not the
hard drive to be erased; most machines will automatically
boot from a start-up diskette if one is inserted), the wipe-disk
program must be run. Wipe-disk programs are generally either
command driven or menu driven. Either way, the user will
have to specify the drive to be wiped. The time required
for the program to execute the wipe can vary substantially
depending upon the age and capacity of the drive.
sensitive hardware. Because the disk-wiping
program removes all files from the computer—including
data files, applications, and operating system files—this
significantly reduces the likelihood of a cyber-criminal
gaining access to sensitive information. For extra security,
the IT department should remove any add-in hardware related
to the company’s local area network and security systems
before disposing of the computer.
L. Lunsford is an associate professor of computer
information systems at High Point University, High Point,
N.C. Walter A. Robbins is a professor of
accounting at the University of Alabama, Tuscaloosa, Ala.
Pascal A. Bizarro is an assistant professor
of accounting at the University of Mississippi, Jackson, Miss.