Are major companies unknowingly selling our personal data?
- Replies 3
It's shocking but true: personal information such as medical records, credit card details, and even the keys to state infrastructure have been discovered on unscrubbed IT equipment sold by some of Australia's biggest companies and government agencies.
This means that sensitive information is often left on second-hand devices after they've been sold, posing a serious threat to Australians' privacy and the nation's security.
Kurt Gruber, the founding director of cyber sanitation company WV Technologies, has seen it all. He says that the things found on second-hand devices are 'worse than you can imagine'.
WV Technologies purchases and resells second-hand equipment from online sellers and auction houses, and even government agencies at the highest levels are getting rid of completely unwiped equipment.
The company revealed they have found some truly terrifying things left on these devices. For example, they have discovered network keys for the critical infrastructure of an entire state at an auction house - and had to destroy it to prevent a serious security breach.
But that's not all. The company has also found full medical records of government and corporate employees and customers, including images of intimate surgeries where patients were under anaesthesia.
And they've come across entire Excel spreadsheets with the names, addresses, mobile phone numbers, and credit card details of customers of major retailers. WV Technologies has reportedly even stumbled upon alarm codes for dozens of stores from a single company.
According to Mr Gruber, these findings are 'off-the-planet kinds of things', and they happen more often than you might think.
In addition to the findings of WV Technologies, consulting agency PwC conducted research on the risks of data breaches from the incorrect disposal of e-waste. As part of an experiment on second-hand equipment, PwC purchased a mobile phone and tablet for less than $50 from a second-hand retailer in the ACT.
The results were shocking, according to report author Rob Di Pietro. They were able to retrieve 65 pieces of personally identifying information (PII) from the phone.
But it was the tablet, which still had corporate stickers on it, that contained a note with credentials for access to a database that allowed them to access 20 million sensitive PII records.
Mr Di Pietro described the issue as a 'far bigger problem than we realise today' and that individuals are leaving their data on these devices in plain sight.
It's important to note that the issue of unscrubbed IT equipment being sold is compounded by the fact that Australian organisations and individuals dispose of thousands of tonnes of e-waste each year. The global volume of e-waste is expected to exceed 70 million tonnes per year by 2030, and the figure is growing rapidly.
Unfortunately, according to the PwC report, only about 10% of the 650 kilotonnes of e-waste produced annually in Australia and New Zealand is formally collected.
This means that the majority of e-waste is thrown in the bin, with no proper disposal or data scrubbing taking place.
The issue of unscrubbed IT equipment being sold is not just a matter of personal privacy and security, it also has broader implications for cybercrime and national security.
WV Technology estimates that one in every 250 hard drives that fall into their hands is not wiped correctly, which Mr Gruber believes is contributing to cybercrime.
He explained that there is often a connection between improper disposals and cyber attacks. For example, random ransomware attacks or phishing emails can occur where the attacker knows personal details about the target, but it's difficult to draw a connection between the two.
Mr Di Pietro agrees and believes that cybercriminals are following the path of least resistance, meaning they're more likely to target data found on second-hand devices than to try to hack into secure systems.
This is especially concerning considering that foreign powers such as China are importing used hard drives from Australia. Mr Gruber believes that this is significant since foreign states can make hard drives for a very low cost.
Therefore, it's possible that foreign states could be acquiring sensitive information from improperly disposed of IT equipment, which could be used for malicious purposes.
According to Mr Gruber, one of the main reasons for the lack of attention given to safe IT equipment disposal is the cost associated with it. He believes that companies spend heavily upfront on cybersecurity but then fail to invest in proper disposal methods.
'It doesn't make sense to invest so heavily upfront [for cyber protection] and then basically have people go through the bins or online sites and find the things you were trying to protect in the first place,' he said.
'It's frustrating to know that you have these processes where you've got to give away your information, and there's a big company that makes a fortune but doesn't want to pay $20, in the end, to dispose of the hard drive.'
As the Australian government is currently reforming the country's cyber security laws and privacy act following cyber attacks on Optus and Medibank, where millions of Australians had their personal data exposed, Mr Di Pietro believes that this presents an opportunity to include clearer and more explicit obligations on companies regarding e-waste as part of cyber regulations.
He asserts that 'more needs to be done' to protect Australians from the dangers of improper disposal of electronic equipment.
Members, this has all the hallmarks of a looming crisis.
It's true that smashing a hard drive to pieces is an effective way to wipe it, but it's not the most eco-friendly option. Removing the drive and destroying it makes the computer harder to recycle, which is the ultimate goal of proper e-waste disposal.
If you’re not sure how to wipe a drive using software, it's important to find a reputable e-waste recycler who can do it for you. Many cities have drop-off locations for e-waste, or you can look for an e-waste recycling company in your area.
Australia has a free national recycling scheme for computers that accepts monitors, laptops, keyboards, computer mice, printers, scanners, webcams, computer cables, chargers, hard drives, and motherboards.
Go to this website to find the one nearest to you.
Stay safe, it's important to be aware of how to properly dispose of your unwanted technology when the time comes.
This means that sensitive information is often left on second-hand devices after they've been sold, posing a serious threat to Australians' privacy and the nation's security.
Kurt Gruber, the founding director of cyber sanitation company WV Technologies, has seen it all. He says that the things found on second-hand devices are 'worse than you can imagine'.
WV Technologies purchases and resells second-hand equipment from online sellers and auction houses, and even government agencies at the highest levels are getting rid of completely unwiped equipment.
The lack of attention to the proper disposal of IT equipment is contributing to cybercrime. Credit: Unsplash/John Cameron.
The company revealed they have found some truly terrifying things left on these devices. For example, they have discovered network keys for the critical infrastructure of an entire state at an auction house - and had to destroy it to prevent a serious security breach.
But that's not all. The company has also found full medical records of government and corporate employees and customers, including images of intimate surgeries where patients were under anaesthesia.
And they've come across entire Excel spreadsheets with the names, addresses, mobile phone numbers, and credit card details of customers of major retailers. WV Technologies has reportedly even stumbled upon alarm codes for dozens of stores from a single company.
According to Mr Gruber, these findings are 'off-the-planet kinds of things', and they happen more often than you might think.
Recent findings have revealed that major companies and even government agencies are selling second-hand devices containing sensitive data such as medical and financial details. Credit: Unsplash/Vincent Botta.
In addition to the findings of WV Technologies, consulting agency PwC conducted research on the risks of data breaches from the incorrect disposal of e-waste. As part of an experiment on second-hand equipment, PwC purchased a mobile phone and tablet for less than $50 from a second-hand retailer in the ACT.
The results were shocking, according to report author Rob Di Pietro. They were able to retrieve 65 pieces of personally identifying information (PII) from the phone.
But it was the tablet, which still had corporate stickers on it, that contained a note with credentials for access to a database that allowed them to access 20 million sensitive PII records.
Mr Di Pietro described the issue as a 'far bigger problem than we realise today' and that individuals are leaving their data on these devices in plain sight.
Medical records, credit card details, and even images of intimate surgeries were found stored on IT equipment sold through online sellers and auction houses. Credit: Unsplash/Mika Baumeister.
It's important to note that the issue of unscrubbed IT equipment being sold is compounded by the fact that Australian organisations and individuals dispose of thousands of tonnes of e-waste each year. The global volume of e-waste is expected to exceed 70 million tonnes per year by 2030, and the figure is growing rapidly.
Unfortunately, according to the PwC report, only about 10% of the 650 kilotonnes of e-waste produced annually in Australia and New Zealand is formally collected.
This means that the majority of e-waste is thrown in the bin, with no proper disposal or data scrubbing taking place.
The issue of unscrubbed IT equipment being sold is not just a matter of personal privacy and security, it also has broader implications for cybercrime and national security.
WV Technology estimates that one in every 250 hard drives that fall into their hands is not wiped correctly, which Mr Gruber believes is contributing to cybercrime.
WV Technologies found spreadsheets containing customers' information from major retailers, including their credit card details. Credit: Unsplash/Beth Macdonald.
He explained that there is often a connection between improper disposals and cyber attacks. For example, random ransomware attacks or phishing emails can occur where the attacker knows personal details about the target, but it's difficult to draw a connection between the two.
Mr Di Pietro agrees and believes that cybercriminals are following the path of least resistance, meaning they're more likely to target data found on second-hand devices than to try to hack into secure systems.
This is especially concerning considering that foreign powers such as China are importing used hard drives from Australia. Mr Gruber believes that this is significant since foreign states can make hard drives for a very low cost.
Therefore, it's possible that foreign states could be acquiring sensitive information from improperly disposed of IT equipment, which could be used for malicious purposes.
Companies and government agencies should prioritise proper disposal and data destruction methods for outdated IT equipment. Credit: Unsplash/Helena Lopes.
According to Mr Gruber, one of the main reasons for the lack of attention given to safe IT equipment disposal is the cost associated with it. He believes that companies spend heavily upfront on cybersecurity but then fail to invest in proper disposal methods.
'It doesn't make sense to invest so heavily upfront [for cyber protection] and then basically have people go through the bins or online sites and find the things you were trying to protect in the first place,' he said.
'It's frustrating to know that you have these processes where you've got to give away your information, and there's a big company that makes a fortune but doesn't want to pay $20, in the end, to dispose of the hard drive.'
As the Australian government is currently reforming the country's cyber security laws and privacy act following cyber attacks on Optus and Medibank, where millions of Australians had their personal data exposed, Mr Di Pietro believes that this presents an opportunity to include clearer and more explicit obligations on companies regarding e-waste as part of cyber regulations.
He asserts that 'more needs to be done' to protect Australians from the dangers of improper disposal of electronic equipment.
Members, this has all the hallmarks of a looming crisis.
It's true that smashing a hard drive to pieces is an effective way to wipe it, but it's not the most eco-friendly option. Removing the drive and destroying it makes the computer harder to recycle, which is the ultimate goal of proper e-waste disposal.
If you’re not sure how to wipe a drive using software, it's important to find a reputable e-waste recycler who can do it for you. Many cities have drop-off locations for e-waste, or you can look for an e-waste recycling company in your area.
Go to this website to find the one nearest to you.
Stay safe, it's important to be aware of how to properly dispose of your unwanted technology when the time comes.
.png){kind=icon}
