Brad Feld: …Simson Garfinkel bought 235 used hard drives between 11/2000 and 1/2003 from eBay, computer stores, and swap meets. He set up a technical infrastructure to mount the drives, image them (using FreeBSD), store the images on a RAID server, store the metadata in a MySQL database, and then mine the data.

Not surprisingly, he found a huge amount of data, including confidential information such as medical records, HR correspondence, and financial data. For example, Drive #134 was from an ATM in a Chicago bank. It contained one year’s worth of transactions, including over 3,000 card numbers. In this case, the bank had apparently hired a contractor to upgrade the ATM machines – the contractor hired a sub-contractor. The bank and contractor assumed the disks would be properly sanitized, but there were no procedures specified in the contract. As a result, the drives weren’t sanitized correctly and the data was still on them for Simson to play around with.

In addition to explaining the problem and substantiating it with real data, Simson makes a number of suggestions for how to address the issue. Two of his more severe (but logical) suggestions for cleaning all the data off of used drives are (a) to degauss them with a Type 1 or Type II degausser or (b) destroy, disintegrate, incinerate, pulverize, shred, or melt the drive. Simson’s ultimate prognosis is that “drive slagging is a fool-proof method to prevent data recovery.” Just be careful not to light your house (or office) on fire.

Simson logically ponders this issue, especially in our current Patriot Act governed world. For less than $1,000 and working part time, he was able to collect thousands of credit cards, detailed financial records on hundreds of people, and confidential corporate files. He concludes by asking – “who else is doing this?”

More here.