Académique Documents
Professionnel Documents
Culture Documents
Sooner or later all hard drives are retired. Since the vast majority
of jettisoned drives contain sensitive data, the drive owner should
either remove the data or completely destroy the drive. But many
organizations either fail to understand the risks of leaving data on
drives and take no action to remove it, or mistakenly believe the
data has been safely deleted when in fact it can still be recovered.
This paper provides a set of guidelines and best practices to assist
organizations in properly removing the data on hard drives prior to
their disposal or reuse.
Data Thought to Be Safely Deleted Often Isn’t It’s true that some amount of intellectual property
and company trade secrets will eventually
Before recycling or selling a computer or drive
become obsolete or public information. However,
to another entity, most organizations will delete
the sensitivity of some data never goes away.
the data. However what they may not realize is
Addresses, phone numbers and social security
that deleting the data or even formatting the hard
numbers can last a lifetime, and it’s rare for a
disk does not make the data unrecoverable. MIT
hard drive to not contain at least some of these.
conducted a study to see what type of information
It is never safe to assume that the sensitive
would be recoverable from used hard drives. They
data stored on a disk will become un-sensitive.
purchased 158 hard drives from eBay and other
Another often-misunderstood area is just how
merchants. The devices originally belonged to
easy it is to read data from old drives. That pile
a number of organizations ranging from banks
of discarded drives in the storage room may seem
to law firms. Researchers attached the drives to
so old and so obsolete that there is little risk of
a workstation running a program called FreeBSD
sensitive data being read from them, but that is
and copied data images from the drives. Of the
not the case. Today’s computers have no difficulty
158 drives, only 12 had their data destroyed
reading 15-year-old drives.
in such a way that it could not be recovered.
Sensitive files including thousands of credit
Legislation and Good Business Practices
card numbers, individual’s names and contact
Require Hard-Drive Sanitizing
information, emails, social security numbers,
medical records and other sensitive files were Not only is it good business practice to remove
recovered from the remaining 146 drives. all sensitive data from hard drives before they
In many cases this data was recovered from are repurposed or retired, numerous laws
drives that had actually been reformatted1. impose stiff penalties when private information
is compromised. For example, in the United
To add to the challenge of data deletion, not
States, the state of California passed SB-1386.
even formatting a hard drive will completely
This Security Breach Information Act requires
remove the data. Unfortunately most users,
that all potential victims be notified when there is
organizations, and merchants reusing or
reason to believe that their data could have been
reselling used equipment believe otherwise.
compromised. At the time of this writing, most
This false understanding is derived from the
states within the U.S. have passed similar laws
somewhat misleading warning given before
and all are expected to do so soon. Comparable
format operations: “Warning: Formatting the
legislation exists in Europe and Asia. In order to
disk will permanently remove all data.” However,
comply with these and other similar laws, anytime
formatting a disk does not delete the actual data.
a drive leaves a data center or organization,
Only a small percentage of data on the drive
whether for repair, reuse or retirement, all
is actually overwritten. As an example, on a
sensitive data must be removed or encrypted.
10-GB drive with 20,044,160 sectors, formatting
rewrites only 21,541 sectors—less than Hard Drive Sanitization Approaches
1 percent. Formatting complicates the recovery
of fragmented files, but does not prevent it. There are four basic approaches to sanitizing hard
drive data to ensure it is unrecoverable. Three
The Sensitivity of Some Data Never approaches are patterned after standards created
Goes Away by the Department of Defense (DOD). They
include destruction, degaussing (exposing the
Some may justify not taking strong action to
drive to a powerful magnet) and overwriting, and
destroy stored information on old drives because
are described in the National Industrial Security
they believe the data on them is no longer
Program Operational Manual DOD 5220.22-M.
sensitive or the drive can no longer be read.
The fourth method is cryptographic sanitization,
These beliefs are likely to be incorrect.
1 Remembrance of Data Passed: A Study of Disk Sanitization Practices. Simson L. Garfinkel and Abhi Shelat. Massachusetts Institute of Technology.
Drive Disposal Best Practices
Guidelines for Removing Sensitive Data
Prior to Drive Disposal
Summary
A staggering amount of sensitive data is stored
on disk drives around the world. Since sensitive
data can have a very long life span, it is critical to
destroy that data on disk drives as they go out for
repair, reuse or disposal.
Numerous laws and regulations require that
sensitive data be safeguarded against disclosure,
and there is no time limit placed on the
requirement to protect the data. If a 10-year-old
disk drive containing sensitive data goes outside
of the organization without being sanitized,
serious consequences may ensue.
AMERICAS Seagate Technology LLC 920 Disc Drive, Scotts Valley, California 95066, United States, 831-438-6550
ASIA/PACIFIC Seagate Technology International Ltd. 7000 Ang Mo Kio Avenue 5, Singapore 569877, 65-6485-3888
EUROPE, MIDDLE EAST AND AFRICA Seagate Technology SAS 130–136, rue de Silly, 92773, Boulogne-Billancourt Cedex, France 33 1-4186 10 00
Copyright © 2007 Seagate Technology LLC. All rights reserved. Printed in USA. Seagate, Seagate Technology and the Wave logo are registered trademarks of Seagate Technology
LLC in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. One gigabyte, or GB, equals one billion
bytes and one terabyte, or TB, equals one trillion bytes when referring to hard drive capacity. Accessible capacity may vary depending on operating environment and formatting.
Seagate reserves the right to change, without notice, product offerings or specifications. Publication Number: TP582.1-0710US, October 2007