Personal information, such as medical records and credit card details, as well as state infrastructure keys, have all been found on unscrubbed IT equipment sold by some of Australia’s largest companies and government agencies.
It has been described as the missing “vital piece in the puzzle”, but e-waste could pose a hidden danger to Australians’ privacy and national security, with personal data and business information regularly found on second-hand devices after being resold .
The things found on second-hand devices are “worse than you can imagine,” according to Kurt Gruber, the founder of cyber-sanitation company WV Technologies, which also buys and resells second-hand equipment from online vendors and auction houses.
“Even top-level government agencies, several of them, are getting rid of completely unswept equipment,” he said.
“With critical infrastructure, we found the network keys for a state’s critical infrastructure at an auction house and destroyed them.
“And then in terms of personal details in there, the full medical records of government and corporate employees and clients, right down to the regular mom and dad.”
That data includes images of intimate surgeries where patients were under anesthesia.
WV Technologies also found entire Excel spreadsheets containing the names, addresses, cell phone numbers and credit card information of major retailers’ customers, as well as alarm codes for dozens of one company’s stores.
“It’s off-planet stuff, and it’s not like it happens just once. We’re so used to it now,” he said.
Research conducted by consulting firm PwC, along with WV Technologies, found that there is a significant risk of data breaches due to improper disposal of e-waste while conducting a second-hand equipment experiment.
PwC bought a cell phone and tablet for less than $50 from a thrift store in the ACT in an effort to see what they could get back.
Report author Rob Di Pietro described the results as “shocking”.
They were able to retrieve 65 pieces of personally identifiable information (PII) from the phone, while the tablet — which still had company stickers on it — contained a note with credentials to access a database that gave them access to 20 million sensitive PII records.
“It’s a much bigger problem than we realize today, than anyone has really paid attention to it lately,” said Mr. Di Pietro to NCA NewsWire.
“We were shocked that individuals would leave the data on these devices in plain sight.”
Australian organizations and individuals dispose of thousands of tonnes of e-waste every year, a figure that will grow rapidly with the global volume of e-waste to exceed 70 million tonnes per year by 2030.
The PwC report found that of the 650 kilotonnes of e-waste produced annually in Australia and New Zealand, only about 10 percent is formally collected rather than thrown in the bin.
WV Technology estimates that one in every 250 hard drives that fall into their hands is not erased properly, something Gruber says contributes to cybercrime.
“It’s often weird how you get random ransomware attacks or even phishing emails and they happen to know something about you,” he said.
“There’s no way to make the connection between inappropriate takedowns and where people get your information from, but it should contribute.”
Mr Di Pietro agrees, saying it was “quite possible” that cyber-attacks were carried out based on data found on second-hand devices as criminals follow the path of “least resistance” to carry out their operations .
“Instead of going to the trouble of hacking into systems to steal identities, they will do it by spending $20-30 online,” he said.
“It worries me when I think about what other motivated cybercriminal groups are doing, possibly going after second-hand devices that might be lying around or being sold on eBay or Gumtree.”
Mr Gruber also said it was important to consider that foreign powers such as China import used hard drives from Australia.
“They can make hard drives for pennies. It’s interesting how many used drives are bought by foreign states.”
According to Mr. Gruber, insufficient attention is paid to the safe disposal of IT equipment, partly due to operating costs.
“It makes no sense to invest so heavily in advance [for cyber protection] and then basically let people search the trash cans or online sites and find the things you were trying to protect in the first place,” he said.
“It’s frustrating to know that you have these processes where you have to give your information away, and that there’s a big company out there making a fortune but ultimately not wanting to pay $20 to remove the hard drive.”
The federal government is currently reviewing national cybersecurity and privacy laws in response to the high-profile cyberattacks on Optus and Medibank that compromised the personal data of millions of Australians.
Mr Di Pietro says there is now an “opportunity” for the federal government to include more explicit and clear e-waste obligations for businesses as part of cyber regulation, saying “more needs to be done” to keep Australians safe hold.
“We are much more focused on [e-safety] in an online sense, and that’s what the breaches were very focused on last year, but we need to see the priority shift to treat our digital footprint equally in an offline sense,” he said.
“And that’s on devices that are no longer needed, and we’re thinking about that [the legislation] has been neglected.”
Mr Gruber urged companies that dispose of old equipment not to do so internally, but instead to look for data destruction companies with the NAID AAA certification, meaning it is government approved for data destruction to the highest secret level.
“They’re probably well-intentioned, but it’s not your core business,” he said.
“They often don’t understand the complexity of properly decommissioning a device.”
The problem goes beyond throwing away hard drives, with more complex IT devices connecting corporate networks and often containing the most data.
“Hard drives make everyone’s hair stand on end because you can physically see the threat, but a lot of the most advanced stuff just hasn’t been touched,” he said.
“They don’t understand that there’s data on a lot of chips these days, it’s not just the hard drive.”