Server Disposal: Businesses Are Still Making the Same Mistakes

Server with fingerprint, keys, and id card overlaid on top of it

Posted on Thursday, January 24, 2019

For years we’ve been hearing about sensitive personal data and corporate IP turning up on unused servers that have been retired and sold. But despite warnings from media and government, the same mistake is still being made. 

An anecdotal report from a Romanian reseller of second-user hardware suggests that businesses are disposing of servers without completing even the most basic data removal routines. Over the past three years the vendor has found sensitive personally identifiable data (PID) from a Dutch health insurer, traffic control systems for Spanish cities and payment data belonging to customers of a major UK supermarket.

Where businesses are going wrong

There are several things to note from this report:

  • This is not a ‘small business’ issue. The organizations involved are huge– some are even government agencies. And all should have procedures in place to manage the control and destruction of data on retired servers.
  • Businesses are not taking GDPR seriously. Leaking personal data through negligence is sure to attract the attention of national regulators, and potentially massive fines of €20m or more. But the fact that this data is still being discovered shows that organizations are not meeting their responsibilities.
  • Server hardware is not being checked before disposal. When sending servers to be resold, most businesses confirm they have already deleted data stored on them. When the systems arrive for processing however, it quickly becomes clear that nothing has been removed at all. Engineers tasked with formatting drives are simply not doing the work as claimed.

Less scrupulous dealers will capitalize on these mistakes

By giving away sensitive data, organizations are opening themselves to prosecution, blackmail, fraud or insider trading. And unscrupulous server vendors will sell these systems on to criminals. 

When disposing of redundant servers and disk arrays, your business must choose a reputable partner who can assist with secure data deletion before (or after) hardware leaves your site. They can also provide a full audit of activities to confirm data has been removed– useful evidence in the event of an investigation by a national data controller.

To learn more about secure asset disposal, and how to potentially realize residual value from your servers, please get in touch.

Download article as a PDF - Server Disposal: Businesses Are Still Making the Same Mistakes

More Articles

Hard drive with circles spinning around it

Dell EMC: More Power, Fewer Processors

Dell EMC has gone back to single-socket servers and boosted computational power at the same time. But how?

open folder with redacted text & image of refresh button

Dirty OEM Secret #3: No One Cares About Feature Updates

Regular feature updates are said to be an important reason for renewing OEM maintenance contracts– but are they?