Researchers Find Missile Defense Data On Used Hard Drive

For the fourth straight year, researchers at the University of Glamorgan in Scotland have turned up surprisingly sensitive data -- including details of test-launch procedures for a U.S. defense missile -- by buying secondhand PCs.

Although the official data from this year's study has not yet been released, the research team, which included Edith Cowan University of Australia and BT, revealed some early results yesterday in news reports by the BBC and British television affiliates.

The research is part of a five-year study to show the implications of poor hard drive and device data-wiping and disposal practices. In last year's study, the researchers found a wide range of sensitive data on BlackBerrys and other mobile devices. In 2007 and 2006, researchers found sensitive data on many of the PC hard drives they purchased in the used market.

This year, the researchers found personal or sensitive data on 34 percent of 300 hard disks bought randomly at computer fairs and online auctions in the U.K., U.S., Germany, France, and Australia. The information was enough to expose individuals and firms to fraud and identity theft, they said.

One of the most interesting finds in this year's batch was the test-launch procedures for the U.S. THAAD (Terminal High Altitude Area Defense) ground-to-air missile defense system, which was found on a disk bought on eBay. The missile system was built by Lockheed Martin, and the same computer hard disk also revealed security policies and blueprints of facilities at the company, as well as personal information about employees, according to the news reports. Lockheed Martin officials said they had no knowledge of a data loss.

The PC purchases also turned up sensitive data from companies such as Laura Ashley and Ford Motor, as well as patient medical records from the U.K.'s Lanarkshire National Health Services agency, according to a report by BBC Channel 4.

Another disk, previously owned by a U.S.-based consultant who formerly worked with a U.S.-based weapons manufacturer, revealed account numbers and details of proposals for a $50 billion currency exchange through Spain. It also revealed details of business dealings between organizations in the U.S., Venezuela, Tunisia, and Nigeria.

Andrew Blyth, an expert in computer forensics and principal lecturer at the University of Glamorgan's faculty of advanced technology, told the BBC that the results were in line with previous studies, which showed that 40 to 50 percent of second-hand disks that could be powered up contained sensitive data.

"While it's not getting worse, it's not getting any better, either," Blyth said of hard drive erasure practices. "It's not rocket science. I could probably take somebody who is 14 or 15 years old and in a day have them doing this."

"It is clear that a majority of organizations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks," added Andy Jones, head of information security research at BT.

The results of the study are scheduled to be released in a paper appearing in the next issue of the Journal of International Commercial Law and Technology later this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.