Unsanitized disposal of e-waste risks personal data ending up in bad hands: PwC


Careless disposal of data storage devices poses serious cyber and data security threats to Australians with potentially ‘catastrophic’ consequences if sensitive information falls into the wrong hands. .

Professional services firm PwC has warned Australia’s critical infrastructure regime is at risk from security risks from disposing of ‘unsanitized’ e-waste such as phones and laptops.

federal government To tell All Australians rely on critical infrastructure to “provide essential services that support our economy, security and sovereignty”, including information technology and telecommunications networks.

“Every year, Australian organizations dispose of thousands of tons of e-waste,” says Robert Di Pietro, PwC’s cybersecurity and digital trust leader, in a new report.pdf).

“The data stored on these devices and their components may contain sensitive information related to organizational operations, intellectual property, and sensitive personally identifiable information (PII). ”

To demonstrate this point, PwC purchased two devices (a mobile phone and a tablet) for less than $50 (US$33) in March and collected 65 pieces of PII, including home addresses, personal documents and photos Did.

Of greatest concern, Di Pietro said, was a tablet containing credentials to a database that would allow access to up to 20 million sensitive records.

The data on these devices can fetch a significant amount if sold illegally.

“What can more ambitious cybercrime groups do if they can do it at relatively low cost and with little effort? Said Australian person.

“What we do know is that … recent high-profile breaches have undoubtedly painted a target on our backs and on the backs of many large organizations. [that] You may be targeted now. ”

Supporting his findings were two similar studies. A US-based cyber expert bought his 85 used devices online for his US$650, 366,000 files It included photographs and documents, social security numbers, credit card numbers, and passport numbers.

Similarly, experiment Researchers at the University of Hertfordshire in the UK found that after purchasing 200 USB drives from the US and UK, two-thirds still had data from previous users. This included sensitive data such as pay slips, tax notices, and medical documents.

proper disposal

The report notes that safe disposal of e-waste is complex and recommends that professional disposal by a National Association for Information Destruction (NAID AAA) certified provider be considered when dealing with sensitive information. .

One process of data wiping involves degaussing application magnetic devices such as hard drives. This will permanently corrupt your data and make it unrecoverable.

However, Di Pietro says that physical destruction of all components should be seriously considered when dealing with highly sensitive information.

“As the systems and functions that society depends on become more digital than ever before, we need to seriously consider how to safely dispose of the vast amounts of e-waste and the valuable data they hold.” He said.

Organizations currently have no explicit obligation to safely dispose of e-waste.

As such, the report recommended amending the Critical Infrastructure Act to ensure safe disposal, aligning the industry with government ministries and agencies.

It also called on the Australian Information Commissioner’s office to provide guidance on safe disinfection of e-waste, especially for small businesses.

According to the WEEE (Waste Electrical and Electronic Equipment) forum, Estimate By 2030, the world is expected to generate over 70 million tons of e-waste.

Every year, the world produces about 2 million tons more e-waste than the previous year, due to the higher consumption rate of electronic devices, shorter product lifecycles, and the tendency to buy new devices due to limited repair options. is occurring.

Australian companies are popular targets

It targeted Australian companies that put cybersecurity at the forefront of the public debate, including Optus (second largest telecommunications provider), Medibank (largest private insurance company), Woolworth’s MyDeal, and the Australian Department of Defense. It happened after a series of cyberattacks.

In a recent cyberattack, Melbourne-based consumer finance provider Latitude Financial revealed that the data of more than 328,000 customers had been stolen.

“As of today, Latitude understands that approximately 103,000 identification documents, more than 97% of which are copies of driver’s licenses, have been stolen from the original service provider.

“Approximately 225,000 customer records were also stolen from a second service provider,” the company said in a statement to investors.