Power FCU here found itself the subject of local news coverage after it recycled an old hard drive, only to have a TV station purchase the computers and recover member data from it.
One lesson learned: the credit union now incinerates used hard drives.
A local television news station, WIXT, purchased four used hard drives for about $50 as part of its research into identity theft. The idea was to see what could still be recovered from the drives, which the credit union believed had been overwritten and reformatted to erase all the previous data from them. When the station discovered one of the hard drives had come from Power FCU and that member-specific data was recoverable on that drive, the station turned the hard drive over to police.
With an investigation into the situation still underway, Power FCU CEO John D. Wakefield could not comment on specifics of the case, but he did want to share some of the lessons learned from the situation so that other credit unions can benefit from it.
"As we've come to find out, recycling old computer equipment is not good enough. No amount of formatting, partitioning or overwriting is good enough because technology security is a moving target," Wakefield cautioned. "What you think is secure and effective today may not be six months from today. You can take all of the known measures for erasing that data, but maybe six months from now the technology to recover that data will have evolved and someone can find a way to get it."
But what about credit unions that donate their equipment to charities, where it's unlikely anyone is even interested in trying to recover old data? Still not good enough, Wakefield advised. "Sure, the charity isn't looking for your data, but what happens five years down the road when the charity acquires newer equipment and decides to get rid of its old equipment? They recycle that equipment, and now somebody else picks it up, and you don't who that somebody else may be."
Power FCU had been in the process of reviewing a number of its security protocols over the last nine months, even before this incident, but as a result of the hard drive surfacing with member-specific data still recoverable, the $263-million CU has already implemented a number of new procedures.
"Our IT people were following standard industry procedures (when that hard drive was recycled). We believed we had taken all the necessary measures to ensure our data was gone from that drive," Wakefield explained. "Now we know that the only way you can ensure that you have destroyed the data on a hard drive is by taking a sledgehammers to it and smacking it. And who knows, maybe 10 years from now, they'll learn how to take even just a shard of a hard drive and recover old data from it. So, from now on, we physically destroy our old hard drives and then follow that up with incineration. It's the only way. Identity theft is a big enough problem as it is. As credit unions, we don't want to contribute to these security issues by letting our hard drives out the door."