(Reading time: 9 - 17 minutes)

Secure Data Deletion

Hot

Data Deletion and Erasure

When anything is deleted, most people expect that the deleted item is no longer accessible to them or anyone else. But this is far from the truth because of the way technology works. Deleting data does not mean that it is no long accessible.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.

Introduction

Today we look at why deleting data doesn’t mean that it is not accessible, how to ensure effective data deletion, and what happens if users don’t do that. Where data is not effectively deleted not only is it possible for others to access itat a later time, but it is also possible thatitcould result innon-compliance withdata protection policy.

Issues with data deletion

Whether it is data deletion, alteration, or amendment to existing data, it is often possible to access certain elements of a file on a device. One of the first examples of this came during theUK Prime MinisterTony Blair’s era when someone got a hold of the “Iraq Intelligence document” and was able to access the meta-data which indicated the original author of the document together with other data which is saved as part of the file format.

The way technology works to store and protect data as well as deal with deleting it have always beenvery importantconsiderations as the world moved on from portable magnetic media to other forms of media. And as the last few years have illustrated there have been many moves to go back to such media.

The embarrassment of the UK PrimeMinisterhas been one of the manycasualties which have includedlarge and smallorganisationshave beingcaughton the belief thatdeletingdatameant that wasokayto sellor donate either portable media (like memory sticks, or portabledrives) or computers (PC, laptops, Macs) to charity. Only to find out later that the media or device has been bought by someone who knew how to access that data and make use of it.

There have been many examples of academic institutions who instruct their students to purchase second-hand technology to research and explore what data they could find on these devices.

These exampleshave illustrated both the fact that those sellingused technologydo not understand the issue, but also that even when studies have sought to expose how easy it is to extract data, such studies have had no impact on people’s behaviour.

"It is easy for security researchers to illustrate how trivial it is for them to not only access the data but also touse theconfidential data for things that the original owner never intended."

It is easy for security researchers to illustrate how trivial it is for them to not only access the data but also touse theconfidential data for things that the original owner never intended.However, notall ofthedonated or sold media or devices end up in the hands of researchers, many end up in the hands of people who are only looking for cheap things in the hope of retrievingcompromising data that could be sold on for more than they paid for the media or device.

Since second-hand technology is so cheap, many criminals have used such approaches as side-line organisations to extract and extort the seller on the compromised data found.

The question that we often hear is “If it is so easy, why doesn’t someone do something about it”? To answer thisquestion,we need to explore a little bit of the technology on how data is stored and what happens when it is deleted by the user.

What happens when data is deleted?

Theeasiestway to understand what happens when data is deleted is to understand what happens when data is createdfirst.So,invery simplisticterms, what does happen when data is created?There are variations on different operating systems, different versions of operating systems as well as different types of media,and alsoencrypted drives.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Default sample Threat Map infographic


Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 


Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from https://www.pixabay.com.