In May 2018, Buzzfeed broke the news that the Commonwealth Bank of Australia (CommBank) lost the personal financial histories of 12 million customers and chose not to reveal the breach to those impacted. In one of the largest financial services privacy breaches ever to occur in Australia, its largest bank lost control of 10 years’ worth of customers’ financial information when a subcontractor lost several tape drives containing banking statements from 2004 through 2014.
How does a data breach occur when retiring IT assets?
The breach occurred in 2016 when the bank’s subcontractor Fuji Xerox was decommissioning a data center where some CommBank customer data was stored. The bank’s backup magnetic tape drives of financial statements were believed to have been sent to be destroyed, but when a destruction certificate for the data wasn’t found by May 2016, CommBank launched an investigation to find out what happened to the data.
The bank hired a forensic team from the accounting firm KPMG that conducted an exhaustive search to locate the missing tape drives. One theory KPMG investigated was that the drives weren’t secured properly and fell off the truck that was carrying the data between the data center and the facility where the data destruction was to occur. KPMG’s forensic investigators retraced the route of the truck to determine whether they could locate and recover the drives but were unable to find any sign of them.
What lessons were learned?
Commonwealth Bank notified the appropriate Australian government agency of the breach shortly after becoming aware of it and considered alerting customers but decided not to after it determined that there was a low risk of the data being misused. However, the magnetic tape drives were not encrypted and the customer data was never been recovered. Fuji Xerox declined to comment at the time on its culpability for the breach.
This breach should make companies cautious when selecting IT asset disposition (ITAD) vendors to decommission their data centers, refresh their IT infrastructures, or retire excess assets after a merger or acquisition. Because companies lose control of their data when they retire end-of-life devices, it’s critical that they partner with a trusted, experienced, certified asset disposition vendor, not just ones that offer bolted-on ITAD services in order to generate an easy revenue stream.
Choosing a dedicated ITAD partner that specializes in data security and destruction can save an organization from costly data breaches, which have an average cost per incident of almost $4 million globally, and over $8 million in the U.S. according to Ponemon Institute’s 2019 Cost of a Data Breach Report.
How to Avoid Losing Control of Data on Retired IT Assets
To avoid losing data during the ITAD process, companies should strive to find a vendor that has digital data destruction certifications from the National Association for Information Destruction (NAID). This best practice ensures that all IT assets undergo robust processes to guarantee data security and destruction before the asset is resold or recycled.
Further, clients of NAID AAA-certified vendors receive detailed reports that include any discrepancies between what’s on asset lists and what is actually found in data-storing devices. Certified ITAD providers are also held to a higher standard through mandatory annual audits and the constant possibility of unannounced inspections both at their facilities and client sites, all done under NAID’s oversight.
To avoid data breaches like the one experienced by the Commonwealth Bank and its customers, don’t settle for an R2 or e-Stewards recycler or a huge IT vendor trying to be everything to everyone. Raise the bar on your ITAD vendor selection and go with a certified vendor that specializes in data center decommissioning and data destruction to keep corporate data from falling into the hands of criminals or competitors.
Get peace of mind when disposing of your old assets! Contact us to find out more about the most secure method to decommission your data center and destroy your data. With over 30 years in the technology field, we’re happy – and uniquely qualified – to help.