Blog Home Data security and lawnmowers

Posted by CRU

Data security and lawnmowers

Yesterday, we learned of yet another data security breach: 15,000 current and former New York MTA employees had their personal data exposed on a CD that was found in a CD drive that had been refurbished and subsequently sold. The employee data on the CD was easily readable, but fortunately for all concerned, the buyer of the CD drive was a technology security official who happens to work for a New York City Transit vendor--and who reported what he'd discovered. People are not always that lucky when their personal data pops up in unexpected places, whether by design or accident.

So what does this have to do with lawnmowers? Well, last week, I was out for a lunchtime walk and found the pictured hard drive laying in a landscaped bed next to the sidewalk. (It's normally much less useful to me than the pair of Vise-Grips I found on a run one time--they're still in my toolbox.) The drive has clearly seen better days, as it seems to have met the business end of a lawnmower. In the spirit of picking up trash and creating a science project, I tucked the drive into my jacket pocket and brought it back to see what we might be able to discover.

damaged hard drive; data securityhard disk drive; data security hard disk drive; data securityI'm not a data recovery expert, so who knows how successful I'll be in finding out what's on this drive. Because the electronics were destroyed, I'm hoping to install the drive platters into another set of electronics and then see if the platters spin. The drive itself was easy to open, and despite the grunginess of the outside, the innards appeared to be pristine. Aside from some moisture, that is. So we'll see. Next stop: search online for a working version of this model (I checked with the usual sources in the company: nobody's stashes had this particular drive).

Clearly, these two examples show that data has a chance of turning up in the oddest of places.

What to do? I don't know what the MTA's security procedures are, so I can't say whether policies could have prevented this oops moment, but many data breaches turn out to be caused by employees, inadvertently or intentionally. In the case of my found hard drive, if the contents are encrypted, the drive is doubly nothing more than a paperweight--if that, since it's still shedding dirt on the outside. Or if the previous owner had used our Drive eRazer™ Ultra, I'm out of luck there, too, since the data has long since been securely wiped. Regardless, I'll post any news, one way or the other, regarding what turns up from this crude little exercise in data recovery.