Data Destruction Policies and Procedures

Your company should have strict data destruction policies and procedures, and more than one person needs to be accountable (think 'chain of custody') to ensure adherence. Need a good example that demonstrates why?

IT Manager Andrew Chapman bought a used drive on eBay for £36 (roughly $66 USD). When he inspected the drive he found that the former contents were still available. To his great surprise he discovered banking information for about 1 million people!

That information included names, addresses, phone numbers, digital signatures, bank account numbers, credit card numbers, maiden names for customers' mothers, applications, credit check reports, and more! The data belongs to customers of Royal Bank of Scotland Group, NatWest, American Express, and possibly others.

Fortunately Chapman is an honest guy so the information didn't fall into the hands of criminals.

According to the Daily Mail, the drive formerly belonged to data archiving company Graphic Data (now owned by MailSource UK Ltd), who reportedly said: "Certain pieces of IT equipment have been removed from a secure area. We are seeking to recover this equipment, which apparently contained customer data."

Well duh!

Whatever procedures they had in place failed catastrophically. So whatever they were doing wasn't failsafe.

Hopefully your company can take a lesson from this incident.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.