Good Intentions, Troubling Results

Register now

A credit union whose member data was recovered from an old hard drive it had carefully wiped clean before being sold has a message for other financial institutions: "It happened to us, it could happen to you."

The discovery of retrievable member data on an old Power FCU hard drive that had been "recyled"-and the fact a number of other drives remain unaccounted for-may have other credit unions, banks and even the regulators rethinking how they dispose of old computer equipment.

When local television news team WIXT purchased four "recycled" hard drives from a computer store selling used parts, the whole point was to see if old data could be recovered, even though the drives had undergone reformatting and repartitioning at least twice. But even the news crew was astonished when it realized the source of the drives (CU Journal, May 19).

"The very first drive we worked on came up with a list of names and account numbers," said Tim Tortora, news director at WIXT. When the station realized what it had, it contacted Power FCU. "Both the computer store and the credit union said they had gone through the process of purging the information from this drive. But in five minutes, our guy had it back up."

But the hard drive the news crew stumbled across isn't the only one out there. "The drive that the news team bought was one of 20 that the credit union either gave or sold to the store," said Det. Chad Monroe of the Syracuse Police Department. "So, there are 19 drives still out there, and no one knows where they are."

And no one knows what information may-or may not-be recoverable on them.

Nearly every week, The Credit Union Journal receives a press release from a credit union proudly announcing it has donated old computer equipment to a local school or charitable organization. Financial institutions are heavily regulated to ensure they are protecting their members/customers' privacy. So, what do the regulators have to say about this.

"Why, we've done that, too," said NCUA's Cherie Umbel. "We've donated our old computer equipment. I know other government agencies do, too."

In a May 2000 letter to credit unions, NCUA outlined a number of privacy measures credit unions should consider adopting, but there is no specific reference to the disposal of old computer equipment. The closest NCUA comes to discussing this topic: "Adopt secure methods of disposing of sensitive personal information. Consider industrial shredders, locked garbage bins, etc. If disposal is outsourced, assure such companies have strict security procedures. Consider shredding software to delete confidential information from electronic data files."

That's the extent of NCUAs guidance on this topic, according to Umbel, and there is no mention of what should-or shouldn't-be done with old hard drives.

CUNA Mutual Group, which provides bond coverage for a variety of circumstances, including identity theft stemming from a credit union's handling of member data, also donates its old computer equipment, said spokesperson Phil Tschudy.

"We are very careful how we dispose of our own assets," Tschudy related. "At one time, we used to sell our equipment directly to employees, but we have stopped doing that. We work with a third party that specializes in the disposal of industrial waste, which includes such things as computer equipment. We work with a few of them. If you don't use a third party that specializes in this, that could be a vulnerability."

Even so, Tschudy indicated that claims for identity theft or fraud stemming from the donation or recycling of credit union hard drives "hasn't been a big issue."

Still, if a member's identity was stolen as a result of the way a credit union has disposed of its old computer equipment, there are a number of potential hot spots for the credit union. "They could be sued for negligence, breach of privacy due to negligence, it can leave the credit union itself open to fraud, as well," he advised.

The Credit Union Journal tackled this very topic in its Feb. 17 edition, describing the measures that several CUs take before donating their hard drives to ensure that member data is protected.

At Merck Sharp & Dohme FCU, North Wales, Penn., for example, all member files are kept with a service bureau, so no vital member data is ever stored on a computer's harddrive. Indeed, John Wakefield, CEO of Power FCU said his credit union is moving to thin-client technology for the same reason. Eventually, PFCU's member data will be kept only on the thin-client server, so none of its hard drives will have that data on them (see related story next week).

When Palisades FCU donated 18 PCs to charity in 2001, the CU checked for any Microsoft Word documents with information and found none. The CU then removed its host connectivity software from the drives and reformatted them. Palisades has already upgraded the means by which it reformats a drive, using software that "can do multiple passes and randomize the overwriting of data."

Travis CU, Vacaville, Calif., also tries to keep its hard drives from ever having member information on them to begin with, but before donating them, the CU still uses a program that rewrites ones and zeros over the entire drive and then erases it-a process it runs at least 10 times.

But even with all these options out there for cleaning information off a hard drive, at least one credit union is taking no chances at all.

"We will physically destroy all hard drives and then incinerate them," Wakefield said. "Security and technology are a moving target. What is 'good enough' to keep hackers out today, six months from now, they'll have a new tool to use to get around whatever measures you used."

For reprint and licensing requests for this article, click here.