It is important that when an IT asset is disposed of, all sensitive information is destroyed for obvious purposes. However, there are times when an error may occur due to negligence leaking critical data in the process.
One such incident occurred a few days ago when a German military laptop was sold on eBay for just €90 inclusive of the shipping cost. Purchased by a firm named G Data which specializes in cybersecurity, they reported the entire incident in a company blog post on 16 March.
The computer, a product of Roda featured a 128 MB RAM and was running on Windows 2000 & an Intel Pentium III processor. When dug further, it turns out that the laptop contained sensitive information including military secrets.
Here is a photo of the laptop that was being sold on eBay:
Identified to be originating from Bundeswehr – the German army – an administrator program was found on it called MODIS which had “GUEST” as its username already entered.
Trying “Guest” in the password field as well yielded fruit as the program logged in granting access. This led the researchers to find details of a tank equipped with an anti-aircraft system known as Ocelot. Additional information on its schematics, maintenance and operations were also available.
As for how they knew it was sensitive is not only because of the nature of what was revealed to them but also the fact that “At the top of every page of the TDv you can see a confidentiality note: VS grade: only for official use” as described by the researchers.
Regardless, it is satisfactory to know that all of these details did not create any significant security risks as the instructions surrounding the tank were not usable by anyone but the German army itself due to only them possessing the specific tank at hand.
“The old computers for the LeFlaSys were all discarded and disposed of with the arrangement for deleting or rendering existing storage media unusable. It can be assumed that an error has occurred in the utilization of the computer in question,” said a spokeswoman for the Ministry of Defense.
Malicious actors though may use the information as an edge in possible future attacks either on a cyber or physical level. In addition to this, Microsoft Outlook was found to be installed as well but logged out with no other data on the computer.
To conclude, leaving a complete program by mistake is one thing but many also fail to properly delete their files permanently when selling their computers or smartphones. For instance, according to a recent study done by the University of Hertfordshire, it has been found that among the 100 second-hand phones purchased by the firm on eBay specifically for the study between January and June in 2018, 17% of them contained the previous owner’s personal data.
To avoid making such errors, it is advised that one either remove/destroy their hard drive or use a professional program that can overwrite the disk leaving no room for recovery which may be possible otherwise.