Computer hard drive sold on eBay ‘had details of top secret U.S. missile defence system
Highly sensitive details of a US military missile air defence system were found on a second-hand hard drive bought on eBay.
The test launch procedures were found on a hard disk for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system, used to shoot down Scud missiles in Iraq.
The disk also contained security policies, blueprints of facilities and personal information on employees including social security numbers, belonging to technology company Lockheed Martin – who designed and built the system.
British researchers found the data while studying more than 300 hard disks bought at computer auctions, computer fairs and eBay.
The experts also uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.
The drives were bought from the UK, America, Germany, France and Australia by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.
A spokesman for BT said they found 34 per cent of the hard disks scrutinised contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organisation.’
And researchers said a ‘surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved was recovered as a result of the survey.’
Two disks appear to have been formerly used by Lanarkshire NHS Trust to hold information from the Monklands and Hairmyres hospitals including patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.
In Australia, one disk came from a nursing home and contained pictures of patients and their wounds.
Confidential material including network data and security logs from the German Embassy in Paris were also discovered on a disk from France.
And the trading performances and budgets of a UK-based fashion company, corporate data from a major motor manufacturing company were discovered along with details of a proposed 50 billion currency exchange through Spain involving a US-based consultant.
Dr Andy Jones, head of information security research at BT, who led the survey, said: ‘This is the fourth time we have carried out this research and it is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.
‘For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.
‘Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly.’
Dr Iain Sutherland of the University of Glamorgan said: ‘Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. In the current financial climate they risk losing highly valuable propriety data.’
A spokesman for Lockheed Martin, who make the THADD launch system, said: ‘Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defence programme.
‘Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.’
A spokesman for NHS Lanarkshire said: ‘This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.
‘In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable.’
The spokesman said the trust now destroy equipment containing data on the premises, so no longer use external companies to dispose of IT equipment.