Man arrested for stealing local gov't hard drives with personal info

How do you know that the destruction will be faithfully carried out and not subverted? What controls do you have in place to ensure this?

I suspect that the problem runs deeper and that blind trust ruled.

I'm sure you do suspect that, but the hard drives were stolen by an employee - something that can happen even with due diligence. And there isn't any indication from the story that the due diligence you describe was not done.

Having worked with government agencies, I actually would suspect that due diligence was not the problem. Japanese people are detail oriented by default. Working with government agencies is a lesson in patience.

There is a process step in executing a contract – called due diligence. In a contract for disposal, the contracting party should review the disposal process in detail, looking for any opportunities for the contractor to violate the terms and obtain reasonable assurances that it couldn’t happen. In this step reasonable questions would be: How do you know that the destruction will be faithfully carried out and not subverted? What controls do you have in place to ensure this?

I suspect that the problem runs deeper and that blind trust ruled.

The drives were wiped:

The drives were formatted before being returned to Fujitsu. Not the same as wiping the drive.

Does he work on the governent?

he was dumb for not wiping the drive.

The drives were wiped:

The situation first came to light after a man who bought nine hard drives in an internet auction contacted the Kanagawa government. Even though the data was supposed to have been deleted, the successful bidder was able to restore the drives using special software.

&nbps;

that basically shows you how lax the security was.

Not necessarily. We have no idea of whether it was lax security, or someone who found holes in the system.

The guy who did this was a complete dummy, not some clever data thief. There was no way he wasn't going to get caught.

First part yes, he was dumb for not wiping the drive. As for the 2nd part, well he probably would have gotten away with it if the buyer wasn't nosy. And that basically shows you how lax the security was.

The government was just as much at Fall as the company that was supposed to destroy the drives. The guy that stole the drives was stupid because all he had to do was wipe the drives before he sold them with dban or equivalent software. The same thing the government should have done before they turned them over to anyone. It's a shame that's so much hardware goes to waste and is destroyed when it could be reused if properly sanitized before being resold. Formatting does nothing to the data only sanitizing with the proper wiping programs will destroy the data beyond recovery.

Why not buy a drive shredder if you have that many drives to throw out? They are cheap and then you can destroy the stuff yourself. And save some cash in the process.

That's irrelevant to this story. There are all sorts of reasons why to do it yourself, or why to have it done by a 3rd party. Being economic is not always the best avenue. Sometimes it is. Regardless, that was a debate held somewhere else at some other time, and they chose to go with a 3rd party service.

They were lax with their security, and THAT is not the fault of Fujitsu, that is the lack of proper protocol not being in place as well.

Once again, you do not know what you are talking about. There WAS a protocol in place, and it WAS followed. The hard drives were stolen within that protocol.

Trying to blame this on the government is ridiculous. Governments contract out security exactly because they do not know how to do it right.

Hmmm, double edge sword, first you posted the above as a response, now your saying: "There is an industry standard. It's been set that way for a reason. Government entities are required by law to follow industry standard."

Which is it?

I told him what he was saying was not industry standard, and questioned why the would be expected to follow his standard that doesn't exist. Then I pointed out that¥ an industry standard does exist. How was pointing out the thing he said as not being an industry standard, while pointing out that an industry standard exists in conflict?

Seems you should do your own research before posting before advising others.

This is literally my industry.

*The data included individuals' names, addresses, tax payment records for automobiles, notification of tax investigation with names of companies, as well as records of the prefecture's operations.* It was not encrypted to prevent unauthorized access.

re: They were lax with their security, and THAT is not the fault of Fujitsu, that is the lack of proper protocol not being in place as well.

Can't argue that point, as pointed out in original post. Government as the owner of the data still has the sole responsibility to ensure data is protected since it is the one who passes Law concerning private data.

re: There was a contract that Fujitsu would make the content unrecoverable and dispose of the drives. They got the servers back to Fujitsu safely. The government even formatted the drives before returning them to Fujitsu. So protocol-wise the government is not at fault. That said, given the sensitivity of the information it may have been wiser to run a more sophisticated data-wiper before returning the servers. That is, assuming all they did was a simple format.

The government as at fault due to lax "protocols". That's it end of discussion. Why, well as pointed out formatting was not sufficient enough that even a novice was able to bring back deleted/formatted data, and because it was sensitive data more the weak protocols allowed the data to be brought back to life. Hence, by posting " given the sensitivity of the information it may have been wiser to run a more sophisticated data-wiper before returning the servers." to Fujitsu, the government again failed in their protocols.

Why not buy a drive shredder if you have that many drives to throw out? They are cheap and then you can destroy the stuff yourself. And save some cash in the process.

The guy who did this was a complete dummy, not some clever data thief. There was no way he wasn't going to get caught.

This also reinforces my belief here, that the servers were in fact on site and not in a secured location.

I agree they were probably on site, as nothing in any of the Japanese articles mentions a data-center. Fujitsu have a separate data-center service but here we are talking about Fujitsu Lease, which simply leases the actual computers.

They were lax with their security, and THAT is not the fault of Fujitsu, that is the lack of proper protocol not being in place as well.

There was a contract that Fujitsu would make the content unrecoverable and dispose of the drives. They got the servers back to Fujitsu safely. The government even formatted the drives before returning them to Fujitsu. So protocol-wise the government is not at fault. That said, given the sensitivity of the information it may have been wiser to run a more sophisticated data-wiper before returning the servers. That is, assuming all they did was a simple format.

It is very easy to make a HD useless. You only need to drill or punch a hole through. This should not be controlled by a third party company.

Chances are these servers are in secure datacenters which only a few people have access too. Quite a process to get in, as part of my work I have to do that. It's not like these harddrives are being put in the mail and sent to the recycling firm.

This also reinforces my belief here, that the servers were in fact on site and not in a secured location.

The data included individuals' names, addresses, tax payment records for automobiles, notification of tax investigation with names of companies, as well as records of the prefecture's operations. It was not encrypted to prevent unauthorized access.

They were lax with their security, and THAT is not the fault of Fujitsu, that is the lack of proper protocol not being in place as well.

They were set up for easy access, and when they upgraded or changed the HD, the data was still on them!

This means that they aren't servers that are readily accessed or even stored in the government building. Chances are these servers are in secure datacenters which only a few people have access too. Quite a process to get in, as part of my work I have to do that. It's not like these harddrives are being put in the mail and sent to the recycling firm.

You are assuming that the servers are not on site. There are far too many Japanese businesses that do keep their own physical servers, even one's that are leased from companies like Fujitsu!

I also personally know of Japanese government offices that also have their own servers on site.

I work in a Japanese company, and one that has been around for nearly 100 years, ONLY last year did they switch over to cloud services, until they they used on-site servers, leased by Fujitsu as well.

Not to mention that in some Japanese government offices, one's I referred to earlier, the servers are located in each of the different sections in the building. One server for Admin, one for the BOE, one for the tax office, one for the National Health insurance, etc etc etc, and are not centrally located, and are easily accessible.

People give far too much credit to the Japanese government for having IT security, they most certainly dont!

The servers have been leased from Fujitsu Leasing Co, which commissioned Broadlink to scrap the hard drives after they were replaced.

This means that they aren't servers that are readily accessed or even stored in the government building. Chances are these servers are in secure datacenters which only a few people have access too. Quite a process to get in, as part of my work I have to do that. It's not like these harddrives are being put in the mail and sent to the recycling firm.

The government did absolutely nothing wrong here. They followed all security practices to the enth degree. Which included leases on servers in secure facilities to handle data with a prevelant server company (Fujitsu).

RE: Why should they have? What you are speaking of is not industry standard, why should this department have been meeting a standard that doesn't exist elsewhere?

Hmmm, double edge sword, first you posted the above as a response, now your saying: "There is an industry standard. It's been set that way for a reason. Government entities are required by law to follow industry standard."

Which is it? Seems you should do your own research before posting before advising others.

Is that true? There are software tools that offer to wipe data from hard drives (from disk-type drives anyway).

And there are ways to go beyond that to recover data.

Industry standard for PII is physical destruction of the hard drive.

As Yubaru says, it can be time consuming, but why shouldn't it be effective?

Because there are still ways of recovering data from drives even after that.

There is an industry standard. It's been set that way for a reason. Government entities are required by law to follow industry standard.

Physical destruction of hard drives is the only way to ensure data destruction.

Is that true? There are software tools that offer to wipe data from hard drives (from disk-type drives anyway). As Yubaru says, it can be time consuming, but why shouldn't it be effective?

the only 100% effective way to destroy the data is to physically destroy the drives, by warping or damaging the discs themselves, you can drill through them, put them in your BBQ, use a sledge hammer a few times, cut them in half, use the large cutters, anything to physically damage the internal disks.

Exactly, which is why the contract companies to dispose of them. This is how the industry works.

It still is the fault of the prefectural government for not properly deleting the information prior to having them disposed.

They may have deleted it. We cannot tell. The drives were wiped at some point before they were sold. We don't know at what point that happened.

But it's irrelevant. What you are describing is not industry standard. If you want to claim they are in the wrong, then you need to explain how acting on the industry standard is wrong.

The servers were leased from Fujitsu, and the information SHOULD have been deleted PRIOR to it leaving the hands of or control the prefectural government.

And how do you know they weren't?

It's not that hard of a process to delete the data, just time consuming. You can delete damn near all the data on a HD by repeating the deletion process, or "wiping" the hard drive 7 times.

Even the US department of defense does that!

BUT the only 100% effective way to destroy the data is to physically destroy the drives, by warping or damaging the discs themselves, you can drill through them, put them in your BBQ, use a sledge hammer a few times, cut them in half, use the large cutters, anything to physically damage the internal disks.

The prefectural government SHOULD have an IT section that could have wiped the drives prior to sending them back to Fujitsu, to have them outsource them for disposal.

They failed in their responsibilities as well!

QUESTION: Could this be done with a sledge hammer? I heard metal shears.

Yes. Physical destruction of hard drives is the only way to ensure data destruction.

Either way, it's not the fault of the prefectural government.

It still is the fault of the prefectural government for not properly deleting the information prior to having them disposed. The servers were leased from Fujitsu, and the information SHOULD have been deleted PRIOR to it leaving the hands of or control the prefectural government.

Their IT security stinks for something like this to happen! Anyone with half a brain could reconstruct the information on the hard drives.

The prefectural government, whether or not the job was outsourced to a 3rd party or not, still is responsible for the data being taken out of their control.

They did not have procedures in place to ensure that this did not occur.

If there is truly no way to ensure the safety of the data except by physically destroying them, you can’t really expect office I.T.s to do it.

QUESTION: Could this be done with a sledge hammer? I heard metal shears.

And it's not stupid to outsource this - they have contracts to ensure this doesn't happen.

Oh an if this was true

It is true:

The servers have been leased from Fujitsu Leasing Co, which commissioned Broadlink to scrap the hard drives after they were replaced.

There was a life-cycle in place for these hard drives, which included secure disposal. The servers were leased from Fujitsu by the prefectural government. The leasing conditions included disposal by Broadlink - a company that handles hard drive disposal.

pray tell why we are reading an article that says otherwise?

Because an employee stole the hard drives.

The Kanagawa government entered a contract with Fujitsu that took industry-standard precautions to ensure the data was securely disposed of. An employee of the company contracted to dispose of that data stole the drives, wiped them in an sloppy manner, then sold them.

Blaming that on the prefectural government, is blaming the victim. It may be that Broadlink had bad procedures in place that didn't properly address the security requirements of the data disposal, which would give the prefectural government (or maybe Fujitsu) a basis on which to sue Broadlink. Or it may be that Broadlink had proper security precautions in place, and this guy worked hard to get around them. This can happen at any company.

Either way, it's not the fault of the prefectural government.

The real question is, why were the HDs discarded with personal info still on them?

They were never discarded. They were given to a company that was contracted to "scrap" them, and an employee of that company stole them instead. Then they ended up sold online as wiped hard drives. The purchaser then restored the data. That would imply that the guy who stole the drives was clearing them, then selling them, probably to make some cash, though that's all speculation as it isn't stated in the story.

And it's not stupid to outsource this - they have contracts to ensure this doesn't happen.

Oh an if this was true, then pray tell why we are reading an article that says otherwise?

No its not stupid to outsource disposal of hardware, BUT it sure the hell IS stupid to send the hardware for disposal before lawfully removing any personal data!

Trying to blame it on the city, is like blaming someone who put their money into a bank for being stupid for putting their money into a bank, if/when that bank collapses.

Apples and oranges argument. I dont expect the bank to give my money away so that when I go there to withdraw some it's all gone!

Why should they have? What you are speaking of is not industry standard, why should this department have been meeting a standard that doesn't exist elsewhere?

BY LAW, the government MUST protect personal information and it can not give out any personal information to third party or outside sources!

By not ensuring that the data was wiped from the drives prior to handing them off for disposal they are technically liable for passing the information to an outside source.

But! The real question is, why were the HDs discarded with personal info still on them? That is the real crime!

Being that this is a government system the IT dept should have wiped the drives thoroughly i.e. destroying them rendering them useless for recovery before letting any go out the door for recycling.

Why should they have? What you are speaking of is not industry standard, why should this department have been meeting a standard that doesn't exist elsewhere?

The recycling company failed in its own internal security program

Exactly. This is on the recycling company.

Root cause is failed IT practices in place or non-existent by the government. Being that this is a government system the IT dept should have wiped the drives thoroughly i.e. destroying them rendering them useless for recovery before letting any go out the door for recycling. The recycling company failed in its own internal security program as this was done as far back as 2016 and only discovered by yet another 3rd party who came forward, possibly a hacker improving their skills but had a conscience afterall.

Agreed.  They should not leave the physical custody of the owner until they are physically distroyed.  There are lots of metal recyclers with large metal shears to do the job.

Also, the city office is pretty damn stupid to outsource this to a private company! They should be held accountable as well for not taking privacy issues more seriously!

No, this is pretty normal. Hard drive destruction is not a skill set most city people are going to have. Pretty much every country will outsource this - my old company did before I started my own (I destroy our hard drives myself).

And it's not stupid to outsource this - they have contracts to ensure this doesn't happen.

The city took measures to make sure they had an avenue to getting their hard drives disposed of in a secure manner. That didn't happen, but it's not their fault, it's the fault of the people they contracted who didn't live up to their obligations.

Trying to blame it on the city, is like blaming someone who put their money into a bank for being stupid for putting their money into a bank, if/when that bank collapses.

Even though the data was supposed to have been deleted, the successful bidder was able to restore the drives using special software.

Doesnt take a genius to recover data from a hard drive. There are plenty of software services online that are available and it's nothing truly "special" about it!

About the only damn way to truly "delete" the data is to physically destroy the hard drives, which for many, is easier said than done!

Also, the city office is pretty damn stupid to outsource this to a private company! They should be held accountable as well for not taking privacy issues more seriously!