A hard drive containing sensitive information on one of Europe's largest financial services groups has been purchased on an internet auction site for just a fiver.
Losing a mobile device is easily done
The hard drive was bought as part of research into what happens to lost or stolen laptops.
It contained information including pension plans, dates of birth and home addresses of customers.
The research was conducted by security firm Pointsec Mobile Technologies.
The hard drive in question was purchased on eBay. As well as customer information, it contained personnel details such as payroll records and login codes for the secure intranet site.
If exposed, it could have had serious consequences in terms of customer confidence as well as affecting the share price and legal position of the company.
KEEPING INFORMATION SECURE
Security needs to be put on all mobile devices by IT departments
Access control and encryption should be mandatory
Set up a mobile use policy
Use hard-disk encryption
In total Pointsec purchased 100 hard drives and laptops on internet auction sites to find out how easy it would be for criminals and opportunists to get their hands on valuable company information.
Seven out of 10 hard drives could be read easily despite being supposedly wiped clean.
Pointsec also investigated the life-cycle of a lost laptop. It found that PCs lost at airports or handed into the police were routinely resold with all the information still on them if they were not reclaimed within 3 months.
At one of the auctions used by the lost property department at Gatwick Airport, researchers were able to access information on one in three laptops using simple password recovery software.
On one machine researchers found 15 Microsoft PowerPoint presentations containing sensitive information on a well-known food manufacturer.
They also accessed customer and company information and private photographs.
"Our research has found just how easy it is to purchase second-hand or lost laptops at public auctions as well as hard drives over the internet and easily access the information on them," said Peter Larsson, chief executive of Pointsec.
"There are dozens of websites which offer password cracking software or recoverable software which criminals, hackers and opportunists use when they want to break into laptops or websites," he added.
Pointsec has been contacted by companies which have been targeted by criminals threatening to go public with information gleaned from stolen or lost laptops.
"Security measures are vital to ensure that security is not compromised. Something as simple as a hard disk drive password can deter the opportunist," said Tony Neate, Technical Industry Liaison at the UK National Hi-Tech Crime Unit.