Examples of DATA Leakage

December 20, 2010

In 2005 100 Hard Disk Drives bought on eBay for £5 each. 1 in 7 had valuable data on including Paul McCartney’s. Financial records, pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for one of Europe’s largest financial services groups.

August 2008, computer bought on eBay for £35. Held personal data on a million customers from RBS, Nat West and American Express (accidentally sold by their data holding company)

2008 Mobile phones case study – Glamorgan University. 161 phones were randomly bought on eBay: 82 still worked and of that:

  • 7% were deemed to hold enough information to allow for stolen identity
  • 7% would have allowed corporate fraud to take place
  • Of the Blackberry’s bought: 27% carried company data and 16% carried personal data
  • One well-known Australian Senior Businessman’s phone revealed details of an illicit affair

In 2009 a Hard Disk from eBay yielded secrets of the Lockheed Martin’s THAAD Missile Defence System (Star Wars) Names and phone numbers, templates for Lockheed, design documents, subcontractor documents, security policies and blueprints of facilities, as well as a Lockheed Test Launch Procedure PDF, employee personal info and social security numbers.

2010: Warehouse in New Jersey – 4 photocopiers were randomly bought $300 each. New York Police Sex Crimes Division, papers still left on copier but lists of offenders and victims were found on a hard drive. New York Narcotics Division, list of targets for major drugs raid. 95 pages of names, pay stubs and social security numbers 300 pages of individual health records.

2010 study into 43 USB Sticks bought on eBay
– 2 (4%) were damaged and as a result, unreadable.
– 2 (4%) had been effectively cleaned and contained no recoverable data
– 20 (46% of the readable USB Storage devices) had been deleted or formatted, but still contained     recoverable data.
– 41 (95% of the readable USB Storage devices) contained data that could be easily recovered,
– 8 (40%) contained sufficient information for the organisation that they had come from to be identified.
– 14 (70%) contained sufficient information for individuals to be identified.