The careless disposal of data storing devices poses a serious cyber and data security threat to Australians that could have “catastrophic” consequences if the sensitive information ends up in the hands of a malicious actor.
Professional services firm PwC warned that Australia’s critical infrastructure regime was at risk from the security risks of disposed of “unsanitised” electronic waste like phones and laptops.
The federal government says all Australians rely on critical infrastructure to “deliver essential services that underpin our economy, security, and sovereignty,” which includes information technologies and communication networks.
“Every year, Australian organisations dispose of thousands of tonnes of e-waste,” PwC cybersecurity and digital trust leader Robert Di Pietro said in a new report (pdf).
“The data stored on these devices and their components may contain sensitive information related to an organisation’s operations, intellectual property, and highly sensitive personally identifying information (PII).”
To demonstrate this point, PwC bought two devices in March for less than $50 (US$33)—a mobile phone and a tablet—and recovered 65 pieces of PII, including home address, personal documents, and photographs.
Most concerning was the tablet, which contained credentials to a database that could enable access to up to 20 million sensitive records, Di Pietro said.
If sold illegally, the data on these devices could be worth a significant sum.
“If we can do that with a relatively low cost and low effort, what could a more motivated cybercriminal group be able to do? That’s a question that hasn’t got a lot of attention,” he told The Australian.
“What we do know … is the recent high-profile breaches have no doubt painted a target on our back and on the backs of many large organisations [that] may be targeted now.”
Supporting his findings were two similar studies. A U.S.-based cyber professional bought 85 second-hand devices online for US$650 and recovered over 366,000 files that included photos and documents, as well as social security, credit card, and passport numbers.
Similarly, an experiment by researchers from the University of Hertfordshire in the UK bought 200 USB drives from the U.S. and UK and found that two-thirds contained remanent data from previous users, including sensitive data like wage slips, tax statements, and medical documents.
Proper Disposal
The report noted that secure dumping of e-waste is complex and recommended that professional disposal by a National Association for Information Destruction AAA (NAID AAA) certified provider should be considered when dealing with sensitive information.
One of the processes of data wiping includes degaussing for application magnetic devices such as hard drives, which permanently corrupts data, rendering it unrecoverable.
However, Di Pietro said when dealing with highly sensitive information, the physical destruction of all components should be seriously considered.
“As the systems and functions society relies upon become ever-more digitised, serious consideration must be given to how the vast amounts of e-waste, and the valuable data they hold, is securely disposed of,” he said.
At present, organisations are under no explicit obligation to securely dispose of their e-waste.
Therefore, the report recommended an amendment to the Security of Critical Infrastructure Act to ensure secure disposal, bringing the industry in line with government departments and agencies.
It also called for the Office of the Australian Information Commissioner to provide more guidance on the secure sanitisation of e-waste, particularly for small and medium businesses.
According to the Waste Electrical and Electronic Equipment (WEEE) Forum, it is estimated that by 2030, the world will generate over 70 million tonnes of e-waste by 2030.
With higher consumption rates of electronics, shorter product lifecycles, and a tendency to buy new devices due to limited repair options, every year, the world is creating about two million tonnes more e-waste than the previous year.
Australian Firms a Popular Target
It comes after a string of cyberattacks targeting Australian firms that have put cybersecurity at the forefront of public discourse, including Optus (the second-largest telecommunications provider), Medibank (the largest private insurer), Woolworth’s MyDeal, and the Australian Department of Defence.
In a recent cyberattack, Melbourne-based consumer finance provider Latitude Financial revealed that over 328,000 of their customers have had their data stolen.
“As of today, Latitude understands that approximately 103,000 identification documents, more than 97 percent of which are copies of drivers’ licences, were stolen from the first service provider.
“Approximately 225,000 customer records were also stolen from the second service provider,” the company revealed in an investor announcement.