Sensitive US Missile Defense Data Found on Computer Disk Bought on eBay

Note:  This article is from the British newspaper The Daily Telegraph.

(from Telegraph.co.uk) – Sensitive data detailing launch procedures for a U.S. military missile air defense system have been found on a second-hand computer hard drive bought on eBay.

More than 300 hard disks were studied and researchers uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal ID numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and Australia through computer auctions, computer fairs and on the online auction site eBay.

The exercise was carried out by BT’s [British Telecom’s] Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the U.S.

A spokesman for BT [British Telecom] said they found 34 per cent of the hard disks scrutinized contained “information of either personal data that could be identified to an individual or commercial data identifying a company or organization.”

The researchers concluded that a “surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved was recovered as a result of the survey.”

Perhaps most surprising was the discovery of a disk bought on eBay that revealed details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground to air missile defense system, used to shoot down Scud missiles in Iraq.

The disk also contained security policies, blueprints of facilities and personal information on employees including social security numbers, belonging to technology company Lockheed Martin – who designed and built the system.

Two disks appear to have been formerly used by Lanarkshire NHS Trust [Britain’s National Health Service] to hold information from the Monklands and Hairmyres hospitals including patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.

In Australia, one disk came from a nursing home and contained pictures of patients and their wounds.

Confidential material including network data and security logs from the German Embassy in Paris were also discovered on a disk from France.

Other information uncovered included the trading performances and budgets of a UK-based fashion company, corporate data from a major motor manufacturing company and the details of a proposed 50 billion currency exchange through Spain involving a US-based consultant.

Dr. Andy Jones, head of information security research at BT, who led the survey, said: “This is the fourth time we have carried out this research and it is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks [hard drives].

“For a very large proportion of the disks [hard drives] we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.

“Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly.”

Dr. Iain Sutherland of the University of Glamorgan said: “Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. In the current financial climate they risk losing highly valuable propriety data.”

A spokesman for Lockheed Martin said: “Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defence program.

“Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.”

Information appearing on telegraph.co.uk is the copyright of Telegraph Media Group Limited and must not be reproduced in any medium without licence. Reprinted here for educational purposes only. May not be reproduced on other websites without permission from the Telegraph. Visit the website at telegraph.co.uk.