They're supposed to have procedures in place that the US military uses for sanitizing sensitive data--when it's legal to do so. It is likely that they didn't do this-- at least, this is what I read at Cyberia-L and what I've picked up in convos with people in the computer security industry--our clients are fortune 100 financial institutions.
here's an overview from Fred Langa:
The "Dead Drive" Security Loophole
You may get a nasty surprise if you send your system out for repairs! Consider your options.
By Fred Langa
ny time you return a system or hard drive for repair, resell it, hand it down, discard it, or otherwise place it in someone else's hands, you're potentially giving that person access to everything on the drive, including files that you thought were deleted, reformatted, or overwritten.
Reader Andy Nelaimischkies recently encountered this little-discussed but major security problem:
"Hi Fred: I recently had a new hard drive fail due to apparent motor failure. I returned it for another one but afterwards I was thinking: What's to prevent someone from fixing it and accessing my personal data at a later date? Is there a way to erase a drive before returning it for a replacement? Am I being too paranoid?"
No, that's not paranoia! While this case--a dead motor--would have presented some unusual challenges to a snoop, in most cases it's amazingly easy to recover data from old hard drives, even if they've been "erased" or reformatted. (And in Andy's case, he never had the chance to do even that; his data was intact, exactly as it was when the drive died!)
Whenever a hard drive changes hands for any reason, there's absolutely nothing (except the imperfect protection of the honesty and ethics of others) to prevent the new owner of the drive from gaining access to whatever was on it. Your business plans, E-mail, tax records, passwords, and any private or confidential information may all be up for grabs, even if you've deleted the files or reformatted the disk.
Ironically, even persons and organizations that exercise good security practices during the normal life of a system or hard drive may not pay enough attention to security during repair operations or at the end of a system's life.
False Security You probably already know that erasing or deleting a file normally doesn't really erase or delete much of anything: Rather, when you erase or delete a file, the file system simply changes the directory entry and marks the file's area as available for reuse. The original file contents are still there on the hard drive, essentially intact. Eventually, as the hard drive gets used, the original file may be overwritten with other data, but on today's huge hard drives, that can take quite a while.
Plus, some operating system components and add-on utilities may work in the background to actively preserve your deleted files. In normal operation, for example, the Windows Recycle Bin only pretends to delete files. What really happens is the Recycle Bin subsystem quietly copies the file, intact, to a special directory from which it can easily be recovered. Even when you empty the Recycle Bin, the deleted file still isn't really gone, because the normal OS-level deletion operation kicks in and simply marks the file area as "ready for reuse." Once again, the data remains intact on the disk until and unless it's eventually overwritten.
Similarly, Windows ME (and probably the forthcoming XP) have a System Restore function that saves and can restore certain kinds of files, even if they've otherwise been totally erased.
And--this comes as a surprise to many users--even a full reformat doesn't actually erase all the data on a drive: Instead, the format operation simply writes a new file allocation table and sector information. Much of the old data on the drive is still there, intact.
Easy To Resurrect Dead Files Because normal Formats and Erase/Delete operations don't touch much of the data on your disk, it's not hard to bring those files back from the dead. In fact, there's a whole raft of tools that can get at the deleted info. For example, all comprehensive commercial software utility kits (including the most-popular suite, the Norton Utilities) have one or more ways to scour the hard-drive surface, looking for what's left of erased files and converting them back into easily accessible normal files. Many disk utility kits also include Unformat tools that can likewise recover data from a disk that's been completely reformatted.
Advanced users can employ low-level "sector editors" that can examine a hard drive bit by bit, recovering anything of value or interest, anywhere on a drive, even if it has been partially overwritten or is otherwise inaccessible to the normal disk operating system.
Professional data-recovery services and governmental investigative agencies can go even further: Using special hardware and software, they sometimes can recover data from disks that have been completely and repeatedly overwritten with new data, or even disks that have been physically damaged.
But sometimes, no fancy tools are needed at all. Take Andy's case. All the repair techs had to do was replace the motor and plug Andy's drive back into a PC. Windows, through its Plug and Play mechanism, would then auto-detect any hardware differences between Andy's system and the new one it's running on and load the appropriate drivers. When the system booted, it would return to the state it was when Andy last used it, with all the drive contents available to the drive's new owners.
Security, The Hard Way... "Sanitizing" a hard drive so others can't access its data is possible, but achieving a high level of hard-drive security involves far more hassle than most of us are willing to endure.
For example, the U.S. Department of Defense-prepared "National Industrial Security Program Operating Manual" (see http://nsi.org/Library/Govt/Nispom.html) calls for the following steps to be taken to dispose of hard drives that contain moderately sensitive information:
Overwrite all addressable locations with a single character. Degauss with a Type I degausser. Degauss with a Type II degausser. Overwrite all addressable locations with a character, its complement, then a random character and verify. Destroy: Disintegrate, incinerate, pulverize, shred, or melt. Amazingly, this still doesn't provide the very highest levels of security (mainly because the many steps themselves constitute a potential security problem). The manual screams in all capital letters: "THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION."
Imagine what's involved in sanitizing really sensitive data!
...And The Easy Way Fortunately, most of us don't have to worry about achieving the very highest levels of security. Simpler, gentler (and nondestructive) methods may suffice, as long as your drive is still spinning. (We'll return to Andy's special case in a moment.)
For one thing, you can take simple preventive measures: If a drive doesn't fail in its first few hours or days of use, it will usually work fine for a very long time. So, I never load anything critical on a new hard drive until it's "burned in" and I'm fairly sure it's going to be reliable for the long haul. (See "System Setup Secrets.") There have been times I've had to send almost-new systems and drives back for warranty repair, but in those cases, I haven't had to worry about security because there wasn't any sensitive data on the returned system.
But what happens once a drive or system has been put into use and does contain sensitive data? In many cases, the solution is a thorough "data wipe." This doesn't mean simple file deletion or disk reformatting. Rather, it refers to a more elaborate process that's sometimes called a "government wipe" (because it's based on earlier Department of Defense recommendations for hard-drive sanitizing). It's an automated 7-pass procedure that involves overwriting the entire file area (including the directory entry, where the file's name and attributes are stored) multiple times with random data, and truncating the file allocation record so that the wiped file appears to be a zero-length item. This kind of wiping is proof against all but the most elaborate, expensive, and time-consuming data-recovery techniques.
Many software tools offer "government wipe" ability (or an approximation thereof), including the Norton Utilities WipeFile plus the freeware tools Eraser and File Wipe For DOS). You can find many others by searching your favorite download site.
In most cases, running a thorough government wipe on a hard drive is about all you'll need before sending it in for repair, selling it, discarding it, or passing it on to someone else.
Hard-Core Hard-Drive Solutions But there's a minority of cases where thorough data wiping won't be enough--cases where a system might contain make-or-break vital business plans, tax records, or other sensitive data that absolutely must not be compromised.
The solution here is hardware, because hard drives are relatively cheap. If the value of the data on your old drive exceeds the cost of buying a new drive, I think it's worthwhile to eat the cost of a new drive. Replace the old drive with a brand-new unused one, and then take steps to ensure that no one can ever use the old drive again.
First, if the drive is still working, data-wipe it if you can. Then (whether working or not) physically destroy the drive. You don't have to go as far as the Department of Defense recommendation of "disintegrate, incinerate, pulverize, shred, or melt." Rather, just pop open the drive case (it's usually just a matter of loosening a few screws and it takes just a couple minutes) and drag the screwdriver tip over the platters. This will render the data on the disk unrecoverable to all but the most expensive and elaborate types of reconstruction, and will prevent all casual hackers, crackers, dishonest repair technicians, hand-me-down users, or even dumpster-diving snoops from doing much of anything with the old drive.
Closing the "dead drive" security loophole takes a little time or money. But the time spent in data-wiping a drive that's changing hands, or the money it takes to replace a drive that's been physically disabled to prevent reuse, can actually be a very smart investment in security.