The careless disposal of data storing devices poses a serious cyber and data security threat to Australians that could have “catastrophic” consequences if the sensitive information ends up in the hands of a malicious actor.
Professional services firm PwC warned that Australia’s critical infrastructure regime was at risk from the security risks of disposed of “unsanitised” electronic waste like phones and laptops.
“The data stored on these devices and their components may contain sensitive information related to an organisation’s operations, intellectual property, and highly sensitive personally identifying information (PII).”
To demonstrate this point, PwC bought two devices in March for less than $50 (US$33)—a mobile phone and a tablet—and recovered 65 pieces of PII, including home address, personal documents, and photographs.
Most concerning was the tablet, which contained credentials to a database that could enable access to up to 20 million sensitive records, Di Pietro said.
If sold illegally, the data on these devices could be worth a significant sum.
“What we do know … is the recent high-profile breaches have no doubt painted a target on our back and on the backs of many large organisations [that] may be targeted now.”
Proper Disposal
The report noted that secure dumping of e-waste is complex and recommended that professional disposal by a National Association for Information Destruction AAA (NAID AAA) certified provider should be considered when dealing with sensitive information.One of the processes of data wiping includes degaussing for application magnetic devices such as hard drives, which permanently corrupts data, rendering it unrecoverable.
However, Di Pietro said when dealing with highly sensitive information, the physical destruction of all components should be seriously considered.
“As the systems and functions society relies upon become ever-more digitised, serious consideration must be given to how the vast amounts of e-waste, and the valuable data they hold, is securely disposed of,” he said.
At present, organisations are under no explicit obligation to securely dispose of their e-waste.
Therefore, the report recommended an amendment to the Security of Critical Infrastructure Act to ensure secure disposal, bringing the industry in line with government departments and agencies.
It also called for the Office of the Australian Information Commissioner to provide more guidance on the secure sanitisation of e-waste, particularly for small and medium businesses.
Australian Firms a Popular Target
It comes after a string of cyberattacks targeting Australian firms that have put cybersecurity at the forefront of public discourse, including Optus (the second-largest telecommunications provider), Medibank (the largest private insurer), Woolworth’s MyDeal, and the Australian Department of Defence.In a recent cyberattack, Melbourne-based consumer finance provider Latitude Financial revealed that over 328,000 of their customers have had their data stolen.
“As of today, Latitude understands that approximately 103,000 identification documents, more than 97 percent of which are copies of drivers’ licences, were stolen from the first service provider.