Businesses must consider all the data security implications when dealing with eWaste. Many companies are now opting to shred old equipment on top of using tools to wipe storage devices.
Just because you move files and folders into the recycling bin on your desktop doesn't mean it's gone forever. Even deleting your trash on your desktop doesn't mean it's gone forever. Ask any digital forensics team or security researcher, and they will agree that data that is seemingly wiped from a hard drive is not always lost forever. You'd be surprised how much information can be resurrected from an old piece of hardware. Bad actors have been known to mine data from old devices in what is essentially a landfill. A lot more electronic information remains on those devices than many companies want to believe. To make things worse, there is a regulatory compliance concern with eWaste as well.
These devices need to be sanitized, whether it's by using disk wiping tools, secure erase, or even physical destruction of old storage devices utilizing a shredder. Physical destruction may be the most permanent method, but many of us would like to do the right thing and donate or recycle these devices for someone who can give them new life. Unfortunately, there is a lot of security issues involved in donations that make this problematic.
I had the chance to chat with John Shegerian, who is the co-founder and executive chairman of Electronics Recycling International (ERI), a leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. ERI is responsible for the secure destruction of billions of pounds of eWaste each year, which guarantees data destruction.
You can follow John Shegerian on Twitter, @johnshegerian.
How ERI Evolved from An eWaste Solution to a Security Solution
ERI emerged as a pioneer in the eWaste business from the dot com era of the early 2000s. Since then, John and his partners have been evolving their eWaste business to meet the demands of eWaste and data destruction today.
"What we saw with electronics back then in [2002-2004] were becoming the fastest growing solid waste stream in the world," John explained. "We became an environmental solution for the technological revolution."
ERI (based out of California back then) would recycle all the material by breaking down all the eWaste into glass, palladium, plastics, steel, copper, aluminum, and gold. All of these materials would head to smelters around the world and be reused for new electronics and other purposes where there was a need. Environmentally, ERI's solution was a huge success. But things began to change. Cybersecurity and data privacy became part of the vernacular.
John goes on to say, "All of the electronics we touch are full of data, and touching our data, so you have a convergence of two huge trends."
Cybersecurity and eWaste would become one and the same as we see it today. This changed the entire scope of how businesses perceive eWaste. Not only were companies concerned with recycling their old devices, now they were on the hook for making sure that the data on those devices never saw the light of day. Unfortunately, donating old equipment became a security risk.
Donating Legacy Hardware Today
Donations used to be a way for companies to offload a lot of their eWaste. It was a great way to provide devices to schools in the public sector with little funding and non-profits, such as the Salvation Army.
"The Salvation Army has become a big client of ours. We do a lot of the behind-the-scenes recycling for them." John goes on to explain that ERI actually even goes as far as to pay the Salvation Army to recycle eWaste in a way that helps with the goodwill of the Salvation Army's mission.
"So there is a donation model that still exists. But given the sensitivity of data, we have to bring it in and make sure all the data is wiped...OR wiped or shred. Because the liability that runs with the data is massive," John exclaims.
Even local governments are using companies like ERI to make sure that sensitive data is not going to get out into the wild after a donation is made.
How eWaste is Being Used By Bad Actors
Originally, eWaste being shipped overseas from the US wasn't a big issue. Companies in China and elsewhere would take the eWaste and recycle it into other electronics. However, that soon changed as bad actors learned that data isn't always completely wiped. For example, businesses would simply format a hard drive and send it to an eWaste facility or "landfill" in some other country and hope for the best.
As it turns out, nation-states and other bad actors were mining these seemingly old and useless devices for proprietary data, such as personally identifiable information (PHI) and intellectual property. John explained what happened from his perspective.
"In about 2012 or 13, I got a phone call," John said. It turns out it was the Department of Homeland Security (DHS). They asked if they could meet with John and his partners. John and his partners obliged.
DHS and the FBI showed up to talk to John and his partners about what was happening to the eWaste. As it turns out, businesses were buying eWaste off the coast of numerous countries, primarily Hong Kong, China, Africa, and India. But it wasn't for mining the eWaste for the fine metals and other materials. It was for nefarious purposes, such as, mining those devices for sensitive data.
Ultimately, bad actors were finding ways to extract sensitive data from eWaste for their own benefit. Today this is a compliance nightmare for companies. Cybersecurity is on the top of the list when it comes to the problems we have to tackle today and companies need to consider that eWaste is part of that data protection and compliance paradigm.
You can go more in-depth into the discussion by listening to my interview with John Shegerian above. You can also check out more podcasts on Spotify and iTunes.