The security risk of disposing of used PCs has been exposed by a Computerworld investigation which has turned up sensitive government and commercial data.
Information on one of three PCs bought from an Auckland used computer dealer includes correspondence in the name of former prime minister Jenny Shipley and senior bureaucrats.
A second PC was apparently owned by finance company AVCO, bought last year by GE Finance, and contains internal documents and letters to mortage holders sent from the firm's Dunedin office.
The data was recovered by Auckland company Computer Forensics, which specialises in analysing the contents of computer storage media. The company was commissioned by Computerworld to sift through the hard drives of the PCs, bought from Ark Recycling, in Mt Wellington.
Computer Forensics managing director Brian Eardley-Wilmot says the exercise demonstrates the "appalling" carelessness of some IT managers when it comes to getting rid of old PCs.
"IT managers are generally meticulous in security procedures, acknowledging that company data is a priceless resource. Yet daily these same people are allowing their used PCs to be disposed of on the open market," Eardley-Wilmot says.
Ark Recycling director Bob Lye is horrified that PCs whose data he thought had been purged yielded up documents created by their former owners.
"If it means we've been a security breach for these organisations then that concerns me," Lye says.
The PC recycler has been in business since 1994, buying PCs at auction, from brokers and directly from large organisations, mainly for sale to schools.
"We give an undertaking to PC sellers that we clean them," says Lye.
Ark Recycling belongs to the Computer Access New Zealand Trust, which stipulates in its code of practice that it will protect donor security by ensuring data on machines they supply is either deleted or hard drives storing it are destroyed.
The trust says all hard drives handled by accredited recyclers "are to be tested for usability and either (a) physically destroyed; or (b) totally erased using unconditional formatting, including deletion of partition and file tables. All identifying marks are to be removed from all machines."
Lye says until now he had been confident that the procedure his technicians follow of "zeroing" all data on the PCs they handle was fail-safe. He says he will check that the PCs subjected to the Computer Forensics analysis underwent that treatment. If they did, yet data was still recoverable, Lye says it's "back to the drawing board" as far as erasing data's concerned.
"There's a huge probability that those who supply us from industry and government departments would destroy drives in future if their data is not secure."