It’s trite advice for those disposing of old technology that they should ensure data has been properly erased. But that doesn’t mean people are following it.
As anyone who has had their data recovered will tell you, this isn’t merely a case of emptying your recycle bin. Formatting hard disks is a basic requirement, while nuking is obligatory for highly sensitive data. And if it’s a matter of national security you can always get medieval.
Yet people are still failing to take these basic steps, as a recent report by Hewlett-Packard (HP) has shown. Recently the tech company bought an Aloha point-of-sales (PoS) terminal off eBay to see what they could glean from it. The result was a trove of names, addresses and social security numbers of the former owner’s employees – or enough information to commit identity fraud.
Despite being used as recently as this year the system had remained unpatched since 2007. Passwords on the system were as strong as "aloha" and "manager", with those accounts able to access the system’s root directory, and view the whole system.
"This insecure state could be especially dangerous if you offer free Wi-Fi access to customers without separating the networks used between your PoS and your customers," senior security researcher Matt Oh added – as if the terminal’s security was not poor enough.
As Verizon highlighted in a data breach report earlier this year, PoS systems have long been an important target for hackers. Not only do they have a lot of financial information flowing through them, they are also on the frontline between corporate networks and the outside world.
What’s distressing about this case is how basic the errors are: terrible passwords, easy root access, lack of patching, and a lack of data erasure before the system was flogged. By failing to take these steps the employer was putting not just customer data at risk, but employee data too. It can only be hoped the example will deter others.
