SaRB for SMO's blog pages are 3000-4500 words, non-subscribers only have access to 800-1000 words.

(Reading time: 9 - 17 minutes)

Secure Data Deletion

Hot

Data Deletion and Erasure

When something is deleted, most people expect that it is no longer accessible to them or anyone else. Unfortunately, this is far from the truth. Deleting data does not mean that it is no longer accessible.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.

Introduction

When data is not effectively deleted not only is it possible for others to access it at a later time, but it is also possible that it could result in non-compliance with data protection policy. Today we are looking at why deleting data doesn’t mean that it is not accessible, how to ensure effective data deletion, and what happens when that doesn't happen.

Issues with data deletion

When we delete, amend or alter any data, certain elements of the original file may still be accessible. One of the best-known examples of this happened during UK prime minister Tony Blair's era, when attackers managed to access - and leak - a deleted intelligence file about Iraq. Although the file had been deleted, the unauthorised user was able to access meta data that contained the name of the document's author, along with other information.

Large and small organisations alike have been caught out and embarrassed by deleted information becoming public, often after donating or selling old technology such as portable media (memory sticks and portable drives) or computers (laptops, PCs and Macs) to charity. It's only later the organisation realises that the technology fell into the hands of someone who knew how to access that data and make use of it.

There have been many examples of academic institutions who instruct their students to purchase second-hand technology to research and explore what data they could find on these devices.

These examples illustrate that those companies selling used technology don't understand the issue, but also that even when studies have explained how easy it is to extract data, such studies have had no impact on people’s behaviour.

"It is easy for security researchers to illustrate how trivial it is for them to not only access the data but also to use the confidential data for things that the original owner never intended."

It is easy for security researchers to illustrate how simple it is for them to not only access apparently 'deleted' data but also to use the confidential data for things that the original owner never intended. However, not all of the donated or sold media or devices end up in the hands of researchers. Many end up in the hands of people who are only looking for cheap things in the hope of retrieving compromising data that could be sold on for more than they paid for the media or device.

Since second-hand technology is so cheap, many criminals have used such approaches as side-line organisations to extract and extort the seller on the compromised data found.

The question that we often hear is, “If it is so easy, why doesn’t someone do something about it? To answer this question, we need to understand how data is stored and what happens when it is deleted by the user.

What happens when data is deleted?

The easiest way to understand what happens when data is deleted is to understand what happens when data is created. The process is similar on all technologies, although there are variations on different operating systems, different versions of operating systems as well as different types of media, and also encrypted drives.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Default sample Threat Map infographic


Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 


Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from https://www.pixabay.com.