Is it possible to retrieve data from a burned-out hard drive? Yes. After the Columbia shuttle disaster, forensic experts reconstructed a hard disk damaged by fire and recovered 99% of the data. That was a rotational hard disk back in 2003. Since then, SSD storage has become mainstream, but data experts say it is also prone to data extraction after damage. How secure then are physical data destruction methods?
Physical Data Destruction
Data destruction is ensuring that data is irretrievable and inaccessible by unauthorized people. In the simplest form, formatting a storage drive hides most of the data from the casual user. But an expert can easily retrieve this data using widely available forensic tools. There are other methods to destroy the data but not the storage media, for example, software overwriting.
Physical data destruction ensures data is irretrievable by destroying the storage media. This method of data destruction has a certain finality to it. In the Columbia incident, forensic data experts could not retrieve data from the rest of the physically damaged drives. The conclusion then would be that physical data destruction is highly effective. But the effectiveness depends on the method of physical destruction.
Types of Physical Data Destruction
There are several methods of physical destruction of storage media, some requiring specialist equipment. Secure data destruction services use one or a combination of these methods:
Crushing deforms the storage media such that sectors on which it stores data cannot function again. Crushing is done using a crusher with powerful jaws. The drawback with this method is that it still leaves the storage media whole.
Shredding rips the storage media into many small parts that are almost impossible to put back together. The US National Security Agency (NSA) recommends shredding to have a final particle size of at most 2mm in size.
The problem with shredding is that it requires specialist equipment not available to many organizations. Most security conscious organizations keep standard HDD shredders. These shredders work well for rotational HDDs. But they can leave strips of high-density solid-state chips.
Physical destruction by burning uses high temperature furnaces which burn the storage media to ash. It is impossible to put back together storage media that has melted. But burning whole hard drives is not very secure, as the Columbia incident showed.
Physical Data Destruction by Combined Methods
Secure data destruction experts recommend secure data destruction by a combination of methods. Storage media should undergo degaussing first. This is data destruction by scrambling the magnetic fields on a storage media. Degaussing makes data irretrievable but does not physically destroy the storage media. It is also not entirely effective on solid state drives because they store some data on integrated circuits. A degaussed drive cannot be recycled or repurposed because its sectors are irretrievably damaged. It does not register when plugged into a computer.
Degaussed drives should be crushed or shredded to destroy them physically. This extra step in destruction places an extra hurdle in forensic data extraction. In a highly secure data destruction environment, the last step would be to melt down the shredded or crushed remains. This three-stage destruction is impossible to overcome.
Why Do Physical Data Destruction?
Unsecured data poses an enormous security risk to an organization in several ways:
A data breach occurs when information leaks or becomes accessible to persons unauthorized to access it. A study of US and Canadian organizations had 80% of respondents saying they stockpile obsolete equipment. It is very possible to extract data from such stockpiled equipment. There is a secondary risk in the penalties and other legal consequences that a business attracts after a data breach.
Intellectual Property Theft
IP theft occurs when competitors or other unauthorized people discover useful data that gives an organization a competitive edge. For example, research data on old hard drives can be very useful in reverse engineering a popular product.
Sensitive data such as medical records and financial data can be very useful to malicious actors. These actors can use it for blackmail leverage against both employees and clients.
Files on old drives contain useful information that hackers can use to map out vulnerabilities in an organization’s networks. This data could be IP addresses, employee emails, letterheads, communication formats, etc.
Secure data destruction is a mandatory information security task. Various laws that have been legislated to secure data. The General Data Protection Regulation (GDPR) is a good example. It places heavy penalties on organizations that do not secure European clients’ data.
Physical data destruction is only as effective as the resources deployed to do it. A professional data destruction service is the best option for secure data destruction. A professional service has the equipment and know how to ensure physical data destruction is 100% effective. This way, an organization ensures there is no data out there in the wild that will come to haunt them later.