Slideshow

Destroying data to protect against fraud

20 Photos Neerav Bhatt (CSO Online)

Destroying data to protect against fraud

  • Expired corporate bank/credit cards and staff ID cards taken from ex-employees need to be destroyed to prevent financial fraud or attempted unauthorised entry into secure sites.

  • The number of smartphones submitted for destruction is growing as they break more easily than older brick shaped mobile phones, the upgrade cycle is shorter and they can contain many gigabytes of data.

  • A wide variety of items are sent to SDDC by their customers for destruction including storage media, credit cards, cheque books, software installation disks, mobile phones, laptops and emergency services uniforms. One of their strangest jobs was destroying a box of plaster of paris teeth casts from a dentist.

  • 1. Adrian Briscoe General Manager Asia Pacific of data recovery specialists Kroll Ontrack told CSO that the shift to cloud storage brings up an important new consideration for information destruction. How do you cleanse a cloud storage data centre server of your data if you’re shifting data to a new cloud storage vendor or taking it back in-house?

  • This is an interesting “incorrect” answer as home computer users are shifting away from paid subscription software from vendors such as Symantec, McAfee and Trend Micro to [[xref:http://www.networkworld.com/news/2011/060711-free-antivirus-programs-rise-in.html|free/freemium computer security programs]] like Microsoft Security Essentials, AVG and Avast. Should the AFP be hinting that Australians would be better off paying for computer security software?

  • An information destruction company that isn’t ASIO T4 approved or a member of NAID isn’t regulated in any way and doesn’t have to operate to any particular standard. With spot prices for good quality waste paper potentially worth up to $300/tonne a cowboy operator could charge customers a premium for document destruction but really just be on-selling the paper straight to recyclers such as AMCOR or VISY.

  • In the past photography studios used large amounts of film and accumulated unsold printed photos and film negatives. The vast majority have switched to digital photography and old negatives and prints that don’t need archiving are being destroyed to free up physical storage space.

  • The Australian Federal Police (AFP) marked the first day of National Identity Fraud Awareness Week (17-23 October) by releasing an [[xref:http://www.afp.gov.au/what-we-do/campaigns/national-identity-fraud-awareness-week.aspx|identity fraud awareness survey]] with the purpose of improving information security habits.

  • The Federal Attorney General’s department [[xref:http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(689F2CCBD6DC263C912FB74B15BE8285)~Australian+Government+physical+security+management+guidelines+-+Security+zones+and+risk+mitigation+measures.pdf/$file/Australian+Government+physical+security+management+guidelines+-+Security+zones+and+risk+mitigation+measures.pdf|“Physical security management guidelines” (PDF)]] state that: “Commercial strip shredders are not suitable for the destruction of classified or sensitive waste. Anybody wishing to access the information will have little difficulty reconstructing the pages from the resultant strips. Cross cut shredders produce smaller pieces that are harder to reconstruct. The smaller the particle size the more secure the results.”

  • The Office of the Australian Information Commissioner (OAIC) reminds businesses and government agencies that have responsibilities under the The [[xref:http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp4|Data Security section of National Privacy Principles in the Privacy Act 1988]] “to make sure that the personal information of their customers is handled in accordance with the Act … stored securely and destroyed or de-identified if it is no longer needed”.

  • The shift from film to digital video recording continues with the last film [[xref:http://techcrunch.com/2011/10/14/the-worlds-movie-camera-makers-have-all-quietly-stopped-production-of-film-cameras/|movie camera makers recently stopping production]]. Similarly organisations are getting rid of film archives that have been digigised or haven’t got archival value.

  • The data from obsolete storage media is being format shifted to network storage and other high capacity storage solutions, so they have to be destroyed to ensure organisational information stored on them is inaccessible.

  • This lock on SSDC’s transport vehicles is [[xref:http://www.asio.gov.au/ASIO-and-National-Security/Units/T4-Protective-Security.html|ASIO T4 approved]]. Investigation into work practices and accreditation by ASIO’s T4 department is required before a company can perform secure information destruction work for government departments.

  • Some information destruction companies have heavily branded transport vehicles. Anthony Tanti from Sydney based [[xref:http://www.sddc.com.au|Secure Document Destruction Company (SDDC)]] told CSO they use unmarked vehicles as drawing attention to a truck containing valuable government/corporate information is an unnecessary security risk.

  • Physical destruction of hard drives ensures that data cannot be recovered from them. The USA’s [[xref:http://www.nsa.gov/ia/guidance/media_destruction_guidance/|National Security Agency (NSA) Media Destruction Guidance]] list suggests Degaussing as an alternate method of irrevocably wiping magnetic storage media.

  • Destruction shredders require a lot of electricity, especially when more than one is operating at once. SDDC’s electricity provider is about to increase the amount of power their building can draw.

  • Financial Adviser Scott Pape told CSO “the easiest way to takeover someone’s identity is not high tech ways like stealing a Facebook login but to go through their paper recycling bin”. The [[xref:http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(4CA02151F94FFB778ADAEC2E6EA8653D)~ID+Theft+Booklet+-+Protecting+your+Identity.PDF/$file/ID+Theft+Booklet+-+Protecting+your+Identity.PDF|Federal Attorney General (PDF)]] suggests Australians should “destroy all old records, files, bills, unsolicited credit card application forms, expired cards - by tearing, cutting up, shredding or burning them before you throw them in the recycling or waste paper bin.” These procedures are particularly important around high-risk times when many people receive and throw away the same kinds of documents such as census forms.

  • The National Association for Information Destruction (NAID) is an international trade association. Members must adhere to specific rules such as using “fully operational CCTV surveillance cameras and back to base security monitoring” and are subject to unannounced audits by a NAID inspector.

  • Backup Floppy disks, CD’s and DVD’s are now considered obsolete due to their low capacity.

  • [[xref:http://www.sbs.com.au/dateline/story/about/id/601347/n/E-Waste-Anger|SBS Dateline]] broke news 2 weeks ago that computers from Australia and other countries that were supposed to be recycled properly had been dumped in Ghana “with many hard drives still intact and containing potentially confidential information”. “With used hard drives available on almost every street [in Ghana], the threat of identity theft is very real”.

Show Comments