So What Are You Gonna Do – Sue Them?

A security researcher has found, he thinks, years worth of customer data available on Craigslist.  Not exactly the dark web.

The servers were from bankrupt computer store chain NCIX.  The seller had, supposedly, hundreds of servers that were in storage.  The storage company owner was selling the servers after NCIX did not pay their storage bill.

Add to that hundreds of hard drives.

None of this data was encrypted.

Also note that this story wasn’t verified, but we hear stories like this all the time, so even if this was isn’t true, the problem is still real.

This particular seller, according to the story, wasn’t necessarily a complete crook, but he was willing to get money any way he could.  What about if you had a sophisticated crook.  Although we do see this stuff on Craigslist all the time – do doubt sold by clueless people.

In theory people should remove data or wipe encryption keys, but we hear story after story like this.

In the case of this bankrupt retailer who is no longer in business, well, it would probably be hard to prove who did what and even harder to sue them.

For responsible businesses —

You should make sure that there is no data still accessible before you dispose of your computers.  And phones.  And tablets.  And COPIERS (BIG, BIG problem).

Alternatively, remove the hard drives and destroy them. While (assuming you are in a place where this is legal) taking them out back and  putting a few .30-06 rounds into them is fun (and will make them pretty difficult to extract data from unless you are the CIA), many paper recyclers like Iron Mountain will literally shred them for $5 in volume.  That is fun to watch.  I have done it many times.

Many companies will give used hardware to their employees.  This is a particular case to make sure there is no data left, because your employees will likely know the people who’s data might be on those devices.

All this requires is a little care and business process.

Information for this post came from ZDNet.

by