View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

How not to defend yourself against identity theft

A Hewlett-Packard report shows industry practice at its worst.

By Cbr Rolling Blog

It’s trite advice for those disposing of old technology that they should ensure data has been properly erased. But that doesn’t mean people are following it.

As anyone who has had their data recovered will tell you, this isn’t merely a case of emptying your recycle bin. Formatting hard disks is a basic requirement, while nuking is obligatory for highly sensitive data. And if it’s a matter of national security you can always get medieval.

Yet people are still failing to take these basic steps, as a recent report by Hewlett-Packard (HP) has shown. Recently the tech company bought an Aloha point-of-sales (PoS) terminal off eBay to see what they could glean from it. The result was a trove of names, addresses and social security numbers of the former owner’s employees – or enough information to commit identity fraud.

Despite being used as recently as this year the system had remained unpatched since 2007. Passwords on the system were as strong as "aloha" and "manager", with those accounts able to access the system’s root directory, and view the whole system.

"This insecure state could be especially dangerous if you offer free Wi-Fi access to customers without separating the networks used between your PoS and your customers," senior security researcher Matt Oh added – as if the terminal’s security was not poor enough.

As Verizon highlighted in a data breach report earlier this year, PoS systems have long been an important target for hackers. Not only do they have a lot of financial information flowing through them, they are also on the frontline between corporate networks and the outside world.

What’s distressing about this case is how basic the errors are: terrible passwords, easy root access, lack of patching, and a lack of data erasure before the system was flogged. By failing to take these steps the employer was putting not just customer data at risk, but employee data too. It can only be hoped the example will deter others.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.