There are numerous risks of improper data destruction, ranging from disgruntled employees to costly lawsuits. Unless management and information technology professionals know what they’re doing, they could jeopardize the brand’s reputation and financial security.
1. Compromised Customer Data Leads to Legal Issues
In 2022, the United States Securities and Exchange Commission fined Morgan Stanley $35 million for mishandling the sensitive data of approximately 15 million customers through a series of “astonishing” failures. It had hired a moving company — one with no experience in data destruction — to decommission servers and hard drives.
That enteprise sold those servers and hard drives to a third party, and thousands were promptly resold on an online auction site. They contained sensitive or identifying information, all of which was unencrypted. Only a fraction of the devices were recovered.
If Morgan Stanley had simply paid a competent third party for data destruction, they wouldn’t have had to pay a $35 million fine. Businesses that handle financial, health or personally identifying information are subject to various regulations. Noncompliance lands them in legal hot water.
2. Staff Responds With Resignations or Lawsuits
Reduced worker retention is a risk of improper data destruction. If staff members find out their health, performance or financial records were compromised due to negligence, they’ll be unhappy at best and litigious at worst. Depending on the circumstances, they may resign or even sue their employer.
3. Incomplete Destruction Results in a Data Breach
Physical destruction breaks devices into tiny fragments as small as 2 millimeters, rendering them unusable. However, just because something has been physically destroyed does not mean the information it stored is gone. This is particularly true with solid-state drives, which have storage so dense that someone could recover information from shredded bits.
Unless firms know exactly how to wipe devices and the residual data left behind, they risk incomplete destruction. Bad actors with moderate data recovery knowledge could restore deleted files and then put them up for sale on the dark web. As of 2024, $9.36 million is the average cost of a single data breach in the U.S.
4. Unauthorized Access Publicizes Proprietary Information
Unauthorized access occurs when someone gets their hands on information or a system without permission. They might see things they weren’t meant to, like exclusive blueprints or research and development knowledge. A company could use these datasets to publicize proprietary files, destroying their competition’s advantage.
Theoretically, this problem could happen with datasets stored on physical devices or in the cloud. Best practices for vendor and destruction method selection differ slightly depending on storage location.
According to one senior program manager at Microsoft in 2020, the disk sectors where the information was deleted become available for reuse immediately, so they are typically overwritten within two days. Moreover, most major cloud service providers don’t permit direct disk reads, preventing others from accessing the deleted storage block before it is overwritten.
5. Bad Actors Use Information to Blackmail Employees
In 2022, the consulting firm Alvarez and Marsal Holdings LLC. purchased six personal computers online. While some showed clear attempts of data deletion, others were delivered without any information erased. The firm used widely available software to retrieve 5,875 documents, 6% of which contained sensitive business-related details.
With the rise of telecommuting, many people now store work-related files on their personal devices. In these cases, bad actors could use residual or recovered data for blackmail or extortion, turning even the most dedicated worker into an insider threat. From there, data breaches, record leaks and money laundering are possible.
6. Someone Uses Stolen Data to Stage a Physical Attack
If a bad actor got ahold of a computer with details about the workplace’s security system or layout, they could formulate a plan to break in. For example, they could find out which person opens alone, enabling them to steal the key before others arrive. Details like employee credentials, passwords or answers to security questions could streamline the process.
7. Compromised Business Files Go Embarassingly Public
While an SSD typically lasts five to 10 years, a hard disk drive will only remain functional for three to five years. They need to be replaced even sooner if they fail. The annualized failure rate for SSDs and HDDs is 0.92% and 3.55%, respectively. Once a data storage device reaches its end-of-life stage, it must be discarded, but not without destroying its information.
In some countries, picking through piles of electronic waste is a lucrative job. There is around 100 times more gold in one ton of smartphones than in one ton of gold ore. Discarded computers and phones often end up in landfills worldwide, making it easy for threat actors to get ahold of improperly destroyed data and easily publicize what they find.
8. IT Professionals Accidentally Delete Important Data
Sometimes, improper data destruction is not about incomplete deletion. If IT professionals don’t keep logs of what they need to destroy, they risk wiping the wrong hard drive. Without backups, they could permanently erase proprietary, valuable, or sensitive datasets in seconds with methods like degaussing or physical damage.
Avoiding the Risks of Improper Data Destruction
Since the risks of improper data destruction are so significant, IT professionals should be careful. In addition to knowing which destruction method is best for which storage device, they should understand the dangers of trusting random vendors to handle disposal.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.
.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.