Safe & Secure client data found on discarded hard drive

Safe & Secure has agreed to improve the way it deletes clients’ information from its hard drives after the Information Commissioner’s Office found one old hard drive still contained customers’ personal information.

The protection provider says it was unaware the information was still on the drive after donating computers to local schools and charities.

In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones bought from internet auction sites such as ebay and computer trade fairs.

The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data.

In total, 34,000 files containing personal or corporate information were recovered from the devices.

At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity.

The documents included scanned bank statements, passports, information on previous driving offences and some medical details.

A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details.

All four organisations, of which Safe & Secure was one, were contacted and have now taken action to ensure client’s information is securely deleted from redundant equipment, or the device is destroyed as necessary.

Safe & Secure has also signed an undertaking to introduce further improvements. 

A spokesman for Safe & Secure says: “A hard drive was indeed found by the ICO watchdog in early 2011 and it did contain some personal customer information.

“Our data controller subsequently co-operated fully with the ICO and agreed to undertake some improvements which included forensically wiping hard drives before disposal.

“It was not considered appropriate or necessary by the ICO to take any formal enhancement action against Safe & Secure.”

He adds: “I would urge all individuals and companies using computers to familiarize themselves with data protection requirements, ensure hard drives or media devices are completely destroyed and keep a record of how/when hard drives are decommissioned.”