Information for missile defence, banking details and NHS records have been found on old hard drives.
Researchers from BT and the University of Glamorgan bought disks from the UK, America, Germany, France and Australia, according to a BBC report. The companies found that of 300 hard disks bought randomly at computer fairs and via an online auction site, 34 per cent still held personal data.
Details of test launch procedures for the Terminal High Altitude Area Defence ground-to-air missile defence system was found on a disk bought on eBay. It is designed to destroy long-range intercontinental missiles and was tested in March this year.
The missile system was designed and built by US defence group Lockheed Martin, the same computer hard disk also revealed security policies and blueprints of facilities at the group, and personal information on employees.
The BBC revealed that researchers said a disk from France included security logs from an embassy in Paris, while two disks from the UK appear to have originated from a Scottish NHS hospital trust.
The disks had information from the Monklands and Hairmyres hospitals, part of Lanarkshire NHS Trust, and revealed patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.
Another disk, from a US-based consultant, formerly with a US-based weapons manufacturer, revealed account numbers and details of proposals for the $50bn currency exchange as well as details of business dealings between organisations in the US, Venezuela, Tunisia and Nigeria. Personal correspondence was also found from a member of a major European bank.
In a statement, Lanarkshire NHS Trust said: “This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.
“In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable.”
It claimed that it had carried out a review of its policies, and it now no longer uses external companies to dispose of IT equipment.
Rik Ferguson, senior security advisor at Trend Micro, said: “Remember, a standard deletion of data from a disk can be likened to simply removing the Contents and Index pages from a book, while leaving the rest of the book intact. To securely dispose of hard drives, use commercial secure deletion software or services, or more simply and cheaply, hit them several times with a large hammer.”
The results of the study will be made available in a paper appearing in the next issue of the Journal of International Commercial Law and Technology 2009.