T 2.48 Inadequate disposal of data media and documents at the home workplace

If data media or documents are not disposed of properly, it is possible under certain circumstances to extract information from them that should not fall into the hands of third parties.

Examples:

• Attackers do not always need to devise complicated technical attacks to exploit vulnerabilities in IT systems in order to obtain information. It is much easier and more effective to get information from the bin (dumpster diving). Office rubbish such as diskettes, CD-ROMs, internal telephone books or even the most recent profit statements are generally not particularly dirty and can contain a great deal of interesting and reusable information.
• CD-ROMs can be turned in at many locations for recycling. Unfortunately, people often do not realise that CD-ROMs with "old" data backups or other files can still contain information that is of interest to outside parties. It is not enough just to scratch the surface of a CD-ROM to ensure that interested parties will not be able to analyse the information successfully.

Even old or defective IT systems often contain numerous pieces of information that may be of interest. For example, test purchases of used hard disks by a computer magazine found that 90 % of the hard disks purchased still contained all of the data of the previous owner.

Examples:

• Two scientists from the Massachusetts Institute of Technology studied how much sensitive data could get into the hands of unauthorised persons by purchasing used computers and computer components. Their research found that only 10 % of the IT components were erased in such a manner so that no data could be reconstructed. The other disks contained, among other things, pornography, love letters, credit card numbers and patient data. The "top prize" was a hard disk that was evidently installed in a cash machine before disposal and which still contained some of the software used as well as account numbers and account balances.
• The buyer of a computer taken out of service by a government agency contacted the data protection officers and the press after he was able to reconstruct the data from a bankruptcy court that had only seemed to have been deleted.

If telecommuters do not have suitable equipment at their home workplaces for disposing of data media and documents properly, then according to experience, they usually land in the household rubbish. People working on the road have the unfortunate tendency to throw document drafts and other "useless" papers directly into the next paper bin or just leave them lying around in the hotel or on the train.

Example:

• In this way, patient records were made into paper aeroplanes by the children next door. They had been placed by a telecommuter by the front door for recycling. Since the paper aeroplanes containing sensitive information could then be found everywhere in the neighbourhood, the local press soon published an article reporting on the clinic's lack of data protection.