Lockheed Martin forgets to clean hard drives, sold on eBay

When you're a government contractor you had better keep your ducks in line. It goes without saying that if you're storing sensitive data that you dispose of the hard drives properly at the end of their life (EOL).

BT's Security Research Center has found that Lockheed Martin is notoriously bad about not removing the data from hard drives that it disposes of at their EOL. The list of information pulled from hard drives that were originally owned by Lockheed Martin is disturbing, the information includes: "launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defense) ground to air missile defense system, used to shoot down Scud missiles in Iraq." and "other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions."

All of the hard drives were purchased on eBay or at computer auctions/fairs. It's a growing trend that computer technicians are unaware of how to properly dispose of a hard drive by either destroying it or removing the sensitive data in a manner that allows for no possible recovery of data. Another alarming thought is why was this data not encrypted?

Lockheed Martin was not the only corporation to be found at fault for this practice but by far had the most sensitive data.

Report a problem with article
Previous Story

Intel to phase out Core i7 940 and 965 Extreme

Next Story

Microsoft releases update to RSAT tools for Windows 7

61 Comments

Commenting is disabled on this article.

I bought a cisco switch off ebay, still loaded with it's NOAA configuration on there. Probally some subcontractor of a subcontractor of a subcontractor doing the work and dident wipe it before sending it to the auction house which dident have a rollover cable so they couldent test it. Also bought a PC this last week at the state surplus store that had a windows XP load from clark college on there. It wouldent boot all the way and i dident feel like tinkering with it too much but if i wanted to get into it it wouldent have been hard at all.

I just dont get why these sorts of hard drives are not destroyed?
The price of security against the price of a second hand hard drive (which is likely to be a small capacity in this day and age anyway), what the hell are they playing at?

heh, appalling.

At work we have a cupboard with 200+ dead / old drives. Every few years we get a company in to turn them into powder which they return to us in clear plastic bags

xendrome said,
Then they sell them on ebay, and you snort the powder that you think was your old hard-drives?

Not quite. The company turns up with a snazzy van kitted out with some industrial shredders. The drives are destroyed on-site, we could sit and watch them turn them to dust if we really wanted.

dead.cell said,
I like to take the silver discs out of the hard drive no longer good or in use. Make great coasters.

They are fun to throw around too.

dead.cell said,
I like to take the silver discs out of the hard drive no longer good or in use. Make great coasters.

You'd think a person who takes apart hard disk drives would at least know it is called a platter.

I dont think they forgot to clean the drives, they just didnt bother. If i waas the government i would terminate the contract and get the money back.

eBay?
- Is LM low on cash?

Computer Technicians?
How on earth are they computer technicians if they don't know how to destroy such data?

eBay. No, I doubt LockMart is low on cash, but depending on the company's policies on disposal, I would not be surprised if one of their sites decided to get rid of excess equipment via a sale. Other companies have done it before, some have company stores where an employee can purchase a used computer or laptop.

Computer Technicians. I've said it up thread. It is not your responsibility to know how to destroy data. In a large site, you might have contractors who maintain the hardware, and all they might do is pull a drive out that's failing, slap in a new one, run a script to reload your machine and walk away. That is the entire extent of their job, too. Machine failed? Drop a new one off at the desk that's been configured and have a nice day. (Where I work is a small site, so the techs there have to know how to troubleshoot hardware and software.)

If that info is bought on the black market, imagine what could be done with it? Remeber just weeks ago we had terabites of data stolen by hackers. how come our government networks are not encypeted, and other sevices using a vpn at least?

Note: I am a bad speller.

Is there a greener way of securely wiping the hard drive (or making it unrecoverable) than burning it? Also, are you able to recycle hard drives?

We have DoD certified programs that will do either a 3-pass or 7-pass wipe. In either case, you end up with a drive that has been written to and zeroed out so that the data cannot be recovered.

There are places that are starting to spring up that deal with electronics recycling. California instituted a program statewide for electronics recycling, with drop off points and everything. We (meaning the site where I work at) has a contractor that comes and takes care of our excess equipment on an as-needed basis.

I seriously doubt LM as a company said hey, let's take all these 3,000 hard drives and put them on Ebay. I think it is more like some lazy and idiot contractors/employees from LM taking the drives, which were supposed to be disposed of and selling them themselves. Either way, a company has to have good procedures in place for getting rid of hardware...and apparently these guys need to look at those procedures again.

Agreed. Where I work, we do have very definite procedures for disposing of excess computer hardware, and we follow them to the letter. That means clearing the BIOS, running the DoD certified drive wipe tools, and making sure nothing was left behind in the machine before they are picked up for disposal. Now that doesn't mean that the hardware won't end up on, say, Dell's used hardware pages, but it does mean that we've done everything that was expected of us prior to that point, and have paperwork signed off showing it.

Paranoia can be a good thing when you're dealing with the DoD.

Meh, I would of just taken them down to a place where they shred metal, at least I know they'll be recycled and not in land fill.

It's not our job to destroy the drives. If you work for any of the major defense department contractors, it's the responsibility of the site security folks to dispose/destroy the drives. *YOU* (as a technician) can be held liable for destruction of government property if you decide to do the job yourself, and don't delude yourself into thinking otherwise.

I don't know what's more disturbing: LM forgetting to wipe their harrdrives, or putting them on Ebay or similar places.

any hardware which is used for data storage of secret informations should be cooked in EM grill to prevent any further usage ...

The best way to get rid of the data on your hard drive when selling your computer is to get rid of the hard drive itself.

java2beans said,
The best way to get rid of the data on your hard drive when selling your computer is to get rid of the hard drive itself.

I remove the platers and chop them into tiny pieces and then dispose of them in at least 10 different places including the sewer.

I do this also for expired plastic bank cards and other sensitive information that is 6+ years old.

How about they employ me, pay me hundreds of thousands of pounds to get rid of their data, I will burn it all in a furness if they prefer it that way.

leesmithg said,
I remove the platers and chop them into tiny pieces and then dispose of them in at least 10 different places including the sewer.

I do this also for expired plastic bank cards and other sensitive information that is 6+ years old.

How about they employ me, pay me hundreds of thousands of pounds to get rid of their data, I will burn it all in a furness if they prefer it that way.

You are either a pedophile or paranoid

Well I would refrain from making such comments.

The word is paedophile, to which I am not.

Paranoid I am not either, I have disposed of one Hard Drive only which contained information which was copyrighted to me.

The drive had died, so someone with skils maybe without losing data could had mounted them on a drive and recovered the data.

I had it backed up to another two drives and 40 DvD's.

So it was no big deal to get another hard drive and transfer the data to it.

We can recover data from Formatted disk easily. There are even many free tools to do that.
It's really funny that all this is found on eBay that too without wiping the data using strong methods.

leesmithg said,
You can only recover data that has not been written over.

Not entirely true, you CAN recover data that was writen over, if you have a lot of money and the correct tools

neufuse said,
Not entirely true, you CAN recover data that was writen over, if you have a lot of money and the correct tools


and you need some luck and good algorithms to fill in the blanks It is a myth btw that you can recover data that has been overwritten twice

neufuse said,
Not entirely true, you CAN recover data that was writen over, if you have a lot of money and the correct tools
That's a myth started a long time ago by Peter Guttmann. He now acknowledges that the actual recovery of any useful information from hard drives that have been overwritten with even a single pass of random data is essentially impossible, even by governments. The electron microscope methods mentioned were always just theoretical.

XerXis said,
and you need some luck and good algorithms to fill in the blanks It is a myth btw that you can recover data that has been overwritten twice


Only thing I'd like to recover is files off a Syquest Syjet 1.5 gb drive. 2 of them are too full for XP. and doesn't seem to run in 98 for the moment. anybody who can point me in the direction of a cheap place.. can probably keep the drive. But most recovery places are about $500 or so. oh how 1.5 gb used to mean something lol

Recovering overwritten data
See also: Data erasure

When data have been physically overwritten on a hard disk it is generally assumed that the previous data are no longer possible to recover. In 1996, Peter Gutmann, a respected computer scientist, presented a paper that suggested overwritten data could be recovered through the use of Scanning transmission electron microscopy.[4] In 2001, he presented another paper on a similar topic.[5] Substantial criticism has followed, primarily dealing with the lack of any concrete examples of significant amounts of overwritten data being recovered.[6][7] To guard against this type of data recovery, he and Colin Plumb designed the Gutmann method, which is used by several disk scrubbing software packages.

Although Gutmann's theory may be correct, there's no practical evidence that overwritten data can be recovered. Moreover, there are good reasons to think that it cannot.[8]

http://en.wikipedia.org/wiki/Data_recovery

It is really good that the data is not gone forever after formatting.
Atleast we can get the data back when someone just formats the disk accidently. May be during OS partitioning, installation, etc.

chorpeac said,
OH so format c:\ is not good?? DUH!! hahaha Shame on them


way too old school. thats why we needed new people in there. Best thing for a company is hire some hackers. Not put them in jail. Then you get idiots giving out top secret stuff to ebay. ZERO the drive idiots!!

Let me state that I work for a defense department contractor (not LockMart, incidentally). Per our company's security policy, we have A) disk encryption on every hard drive that is connected to the network, B) a strong password requirement for accounts, C) a tool that changes the Administrator password on a constant basis, and D) a DoD mandated wipe tool for hard drives for use when the drives are being disposed of. However, the tool only works if the drive can be booted to, which means if the hard drive has suffered a crash, that drive is fully unrecoverable and we have to provide it to the site security folks for physical disposition (read physical destruction). This is what is SUPPOSED to be done, but how often does even our own government sell drives that haven't been sanitized before disposition? Security is only as good as the human factor, something we all tend to keep forgetting.