- Western companies routinely sell their old tech hardware to private companies in foreign countries, without wiping the sensitive data on them first.
- A Business Insider source found a large database of the Dutch public health insurance system on old equipment abandoned after a hardware upgrade.
- He also found the codes for controlling the traffic lights in multiple Spanish cities.
- It’s pointless worrying about hackers breaking into our systems if we’re giving away data to anyone with a credit card in the hardware refurbishing business, the source says.
Western companies routinely abandon confidential, sensitive, and personally identifying information to private companies in foreign countries when they upgrade their servers, workstations, and networking gear for new hardware, a source tells Business Insider.
The unprotected data is a goldmine for hackers.
The source, based in Romania, approached us after reading our December 22 article on whether hackers had the ability to take entire countries offline. The source runs an IT hardware refurbishment company that buys up old equipment from countries such as Spain, the Benelux area, and the UK, and sells it to customers who don’t need top-spec equipment. Typically he is buying truckloads of old servers, “stuff that is past its prime or out of warranty, but it is still perfectly usable. The procedure is simple: hardware comes in, gets evaluated, fixed, wiped, sold,” the source says.
The problem, our source says, is that even when the incoming hardware has been marked as being already wiped clean it often is not.
A “mostly complete” directory of “passwords for a major European aerospace manufacturer”
“Over the last 3 years I have found a lot of crazy things,” the source says, including:
- A mostly complete database of the Dutch public health insurance system, with social security data, billing, addresses, medical histories. “Imagine the social engineering scams you could do with this data,” the source says.
- Codes, software and procedures for the traffic lights and railway signalling “for a few major Spanish cities.” “Imagine the potentially deadly effects of this getting where it shouldn’t,” he adds.
- Customer credit card data including addresses and shopping habits for a major UK supermarket chain.
- And, alarmingly, “a mostly complete (and as far as I could tell, still up to date and functional) employee directory with access codes / badges / smartcards / passwords for a major European aerospace manufacturer.”
Our source asked for anonymity because his company and its clients would be angered if their identities appeared in an article about lax security.
But two independent sources with industrial cybersecurity expertise – Nir Giller, the CTO of CyberX and Darktrace Director of Technology Andrew Tonschev – both confirmed to Business Insider that the Romanian source’s scenario was both common and plausible.
“Right now, I’m looking at the sensor listing, their IP’s and access data”
“Even now, I am processing the remains of a server farm that until a month or so ago, was part of a power company in France,” our source says. The buyer noted the ability of hackers to burn down factories simply by accessing unprotected systems which control things like temperature sensors that prevent equipment from burning out. “Guess what, data [from the French company] is still there,” the source claims. “Right now, I’m looking at the sensor listing, their IP’s and access data. Obviously, I’m sanitizing everything before passing it on, but it never should have gotten into my hands in the first place.”
The source says that sometimes the data he finds is so critical that he contacts the originating company to alert them to that they have a problem with security. “In most cases the reaction was one of disbelief, ‘no, it cannot happen to us, we’re well protected!'”
As more companies lease server space, fewer of them know what happens when those leases end
The problem exists because of the way server space is discarded by large corporations. Few companies want the bother of maintaining their own server farms. So they lease space from specialists. At the end of a lease, companies can walk away from their contracts – leaving the servers with the vendor, which is supposed to carefully destroy the data. Alternatively, when older servers reach the end of their warranty they are replaced in “forklift” upgrades, en masse. In both cases, the disused servers are supposed to be wiped by certified experts using special software and approved processes. In reality, it’s quicker to skip steps, or not do it properly, or let mistakes go. The result is that the original data is often accessible even when an old server has been certified clean.
“The West is failing at an institutional level to keep their critical data safe,” the source says “No need for CSI-worthy hacking stories, just a credit card to buy up your used hardware – odds are the data will be still there, even if someone marked them as already wiped.”