CIO

Reporters find Northrop Grumman data in Ghana market

Data included contracts with TSA, NASA and Defense Intelligence Agency
Tags | e-waste | security

A team of journalists investigating the global electronic waste business has unearthed a security problem too. In a Ghana market, they bought a computer hard drive containing sensitive documents belonging to U.S. government contractor Northrop Grumman.

The drive had belonged to a Fairfax, Virginia, employee who still works for the company and contained "hundreds and hundreds of documents about government contracts," said Peter Klein, an associate professor with the University of British Columbia, who led the investigation for the Public Broadcasting Service show Frontline. He would not disclose details of the documents, but he said that they were marked "competitive sensitive" and covered company contracts with the Defense Intelligence Agency, the National Aeronautics and Space Administration and the Transportation Security Agency.

The data was unencrypted, Klein said in an interview. The cost? US$40.

Northrop Grumman is not sure how the drive ended up in a Ghana market, but apparently the company had hired an outside vendor to dispose of the PC. "Based on the documents we were shown, we believe this hard drive may have been stolen after one of our asset-disposal vendors took possession of the unit," the Northrop Grumman said in a statement. "Despite sophisticated safeguards, no company can inoculate itself completely against crime."

A Northrop Grumman spokesman would not say who was responsible for disposing of the drive, but in its statement the company noted that "the fact that this information is outside our control is disconcerting."

Some of the documents talked about how to recruit airport screeners and several of them even covered data security practices, Klein said. "It was a wonderful, ironic twist," Klein said. "Here were these contracts being awarded based on their ability to keep the data safe."

According to Klein, it's common for old computers and electronic devices to be improperly dumped in developing countries such as Ghana and China, where locals scavenge the material for components, often under horrific working conditions.

Last year the U.S. Government Accountability Office found that a substantial amount of the country's e-waste ended up in developing countries, where it was often dangerously disposed of.

The reporters bought seven hard drives, Klein said. The other drives contained sensitive information about their previous owners, including credit-card numbers, resumes and online account information.

Off-camera, sources in Ghana told the reporters that data thieves routinely scour these hard drives for sensitive information, Klein said.

Although that may be worrying to some, security experts say that there is already a vast quantity of this type of information available online from criminals who have stolen it from hacked computers.

Compared to hacking, stealing data from old hard drives is pretty inefficient, said Scott Moulton, an Atlanta data-recovery expert who teaches classes on data recovery. "It's a tremendous amount of work, so it's only going to be the bottom-of-the-barrel guys who would do that," he said. "It's happening on a small scale."

Still, it's easy for criminals to find data on drives, even when they've been legitimately wiped clean, Moulton said. He buys used hard drives by the hundreds for his classes. These drives have been professionally wiped, but his students always find at least one drive in each class with information still on it.

That's because it's easy for a drive to get missed during the wiping process or improperly wiped. Compounding the problem, the software that some recycling companies use doesn't actually remove all data from the drive, especially data that may be hidden on corrupted parts of the hard drive known as bad blocks, he explained.

The surest way to get your data off of a hard drive is to physically destroy it, Moulton said.

Join CIO, the CIO Executive Council & IDC on 6 October at Australia’s premier Melbourne event for senior IT executives – the CIO Summit 2010. Find out more or register now.

References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
 
Featured Whitepapers
Enhancing Worker Productivity in a Business 2.0 World

New generations of IT-savvy, always-connected workers are entering the workforce with the expectation that their IT tools at work should be at least as powerful and adaptable as their IT tools at home. Learn to optimise IT for productivity - read on.

Wondering how to improve your business with UC on an IP Network?

Join Computerworld's Live Webinar where we will address the move many companies are making towards IP based voice services (SIP trunking, VoIP) and look at how they are using a single connection for data and voice rather than separate lines. Learn about the latest in IP networks and how it can help your organisation.

Wednesday 25th November 2009, Time 10.30 am EST (Sydney, Australia) Screening at your desk

Register now

  • +

    Women did well on Defcon social engineering test 06 September, 2010 05:34:00

    Contest results will be published next week, organizers say
    Of the 135 people Fortune 500 employees targeted by social engineering hackers in a recent contest only five of them refused to give up any corporate information whatsoever. And guess what? All five were women.
  • +

    Google settles Buzz privacy lawsuit 06 September, 2010 05:07:00

    Google will spend $US8.5 million to settle the lawsuit, with money going to privacy groups
    Google is spending US$8.5 million to settle a class-action lawsuit filed over the rollout of its Google Buzz social-networking service.
  • +

    Dealing with disaster 06 September, 2010 10:08:00

    Earthquakes and volcanoes make headlines but business continuity is not just about dealing with natural disasters. It's about sweating the small stuff.
    Earthquakes? Volcanoes? Pandemics? Tsunamis? Are these the stuff of business continuity? Gartner has issued several papers covering major disasters such as the Iceland volcano eruption and its impact on business travel, admitting that “few, if any, businesses plan for a volcanic ash disruption scenario”, which is probably the understatement of the year.
  • +

    Microsoft upgrades free app security tool 04 September, 2010 06:41:00

    Enhanced Mitigation Experience Mitigation Experience Toolkit 2.0 helps Internet apps ward off targeted attacks
    Microsoft released this week an upgrade to a tool that helps secure applications for the Internet without having to recode them.
  • +

    Nigerian advance-fee scammer gets 12 years 04 September, 2010 04:12:00

    Over five years, the man racked up more than $1.3 million
    A Nigerian man has been sentenced to 12 years in prison for sending out fraudulent e-mails offering victims big bucks in exchange for moving cash to the United States.

Recent comments
Media Releases
Zones
SAS Resource Centre

This Resource Centre hosts a wealth of thought leadership articles, whitepapers, and success videos, to help you make the most out of your corporate information in order to swiftly make sound business decisions to survive and thrive in the current economic climate.

Oracle Resource Centre

News, Features and the latest whitepapers on SOA, Application Grid, Enterprise Management and Database

CIO Industry Insight Podcast #9: Tim Ayling, Chief Executive Officer, Platform46
Listen to the latest edition of CIO Live which is now available for download.
Listen to the podcast
Sign up to the CIO Live email
Whitepaper
Securing People and Information: How to Protect Against Today’s Web-based Threats

This white paper explores the benefits of an Application Delivery Network, highlighting the ability to protect your users and applications and still deliver outstanding application performance with confidence, consistency and cost-effectiveness across your distributed network.

Read Whitepaper

Brought to you by
Videos
Get a job Careerone