Between Washington Mutual getting blackmailed after selling computers with sensitive information and now another firm's ATM disk drive showing up on eBay, banks might need to think harder about how they trash their computers.
Properly disposing of disk drives, servers and other obsolete equipment is crucial to safeguarding company and customer data. It's often a back-burner concern as bank technology staff contend with viruses and other security threats. "You have to update antivirus programs weekly and sometimes daily," says Rob Walters, vp of distributed computing services at Union Bank of California.
A major finance company based in New York has a warehouse full of old computers sitting idle, says Alan Brill, a computer forensics guru in the technology services division of investigative firm Kroll Worldwide. Its technology department doesn't have time to prep them for disposal. "They're paying the price for storage until they can come up with a solution. But not everybody does that," Brill says.
A couple of MIT grad students proved this by buying 158 used disk drives, many on eBay. Most had recoverable files, including sensitive medical information and thousands of credit card numbers. One drive, believed to be from an ATM in Illinois, had thousands of account numbers and balances.
Personal computers don't actually erase data when the user deletes a file. Reformatting a drive doesn't take care of the problem. But there are inexpensive programs that can by overwriting every bit of information on a disk drive four times-to Department of Defense standards. After this, drives are considered properly sanitized. A Google search turns up downloadable programs to do this.
Gartner Dataquest estimates about 150 million disk drives were retired in 2002, up from 130 million in 2001. Those might be down years. "There wasn't a lot of hardware activity for the past couple of years because of Y2K," says Jeffrey Korona, president of re.Source Partners, which helps companies, including four large banks, dispose of computers. Many financial institutions that own their equipment are updating their technology, he says. Re.Source resells 80 percent of the equipment it handles. Disk drives beyond repair are drilled with holes and discarded in an environmentally-friendly way. Computer equipment is considered hazardous waste because it contains lead and other toxic materials. Companies that don't take proper care can pay thousands for cleanup costs and fines.
Industry sources say most big banks are on top of disposal. But it's unclear how the thousands of small and mid-size banks are dealing with the issue. Kroll's Brill thinks there's not enough awareness. "A few months ago I gave a presentation to a seminar of credit unions and when I talked about this problem in my lecture, there were people there who looked distinctly uncomfortable," he says.
FBI spokesman Bill Cotter says there's no centralized data on crime linked to discarded computers. But sources agree people do seek out old machines specifically for the information they may contain. Wamu fell prey in 1998 when someone bought a dozen of its computers containing customers' Social Security numbers, loan applications and job histories. Wamu bought the machines back. It responded to an interview request with a written statement saying, "We have not been donating computers because they're leased...we have a policy and process to remove all data from the systems."
Kroll's Brill says every bank should factor in the cost of disposal when buying computers and set strict policies. "There's no rocket science to this," he says. "All of the technology that you need to do this is readily available."
Union Bank of California is in the second cycle of a recently implemented program designed to better track its 10,500 computers. An outsourcing firm helps the bank rotate 200 to 250 per month, ensuring that all data is properly removed. Employees can buy back computers in good working condition. Those not sold after 90 days are marketed elsewhere.
Desktop computers usually last four years and notebooks three, Walters says, adding that the number of PCs at the bank is growing as it upgrades systems in places like the teller line.
Centralizing departmental budgets for computer equipment really made a difference, he says. "We gave ourselves a lot more teeth in that we can say, 'This isn't your department's PC. This is a device that the corporation owns and manages,'" Walters says. "Many fought it at first, either for fear of losing budget money or because of a sense of personal ownership. "You'd be surprised how many people just want to keep their old PC after getting a new one."
