Case Studies

CASE STUDY #93: Absent a cryptographic file system, confidential information is readily accessible when owners improperly retire their disk drives. In August 2002, for example, the United States Veterans Administration Medical Center in Indianapolis retired 139 computers. Some of these systems were donated to schools, while others were sold on the open market, and at least three ended up in a thrift shop where a journalist purchased them. Unfortunately, the VA neglected to sanitize the computer's hard drives-that is, it failed to remove the drives' confidential information. Many of the computers were later found to contain sensitive medical information, including the names of veterans with AIDS and mental health problems. The new owners also found 44 credit card numbers that the Indianapolis facility used.

VA fiasco is just one of many celebrated cases in which an organization entrusted with confidential information neglected to properly sanitize hard disks before disposing of computers. Other cases include:

CASE STUDY #11: In the spring of 2002, the Pennsylvania Department of Labor and Industry sold a collection of computers to local resellers. The computers contained "thousands of files of information about state employees" that the department had failed to remove.

CASE STUDY #30: In August 2001, Dovebid auctioned off more than 100 computers from the San Francisco office of the Viant consulting firm. The hard drives contained confidential client information that Viant had failed to remove.

CASE STUDY #19: A Purdue University student purchased a used Macintosh computer at the school's surplus equipment exchange facility, only to discover that the computer's hard drive contained a FileMaker database containing the names and demographic information for more than 100 applicants to the school's Entomology Department.

CASE STUDY #62: In August 1998, one of the authors purchased 10 used computer systems from a local computer store. The computers, most of which were three to five years old, contained all of their former owners' data. One computer had been a law firm's file server and contained privileged client attorney information. Another computer had a database used by a community organization that provided mental health services. Other disks contained numerous personal files.

CASE STUDY #74: In April 1997, a woman in Pahrump, Nevada, purchased a used IBM computer for $159 and discovered that it contained the prescription records of 2,000 patients who filled their prescriptions at Smitty's Supermarket pharmacy in Tempe, Arizona. Included were the patient's names, addresses and Social Security numbers and a list of all the medicines they'd purchased. The records included people with AIDS, alcoholism, and depression.

CASE STUDY #28: Two well-documented public examples illustrate isolated cases of information leaking through hidden text mechanisms. In February 2003, the UK government issued a report in Word format-ultimately known as the "Dodgy Dossier"-on the alleged existence of weapons of mass destruction (WMDs) in Iraq. Some consternation arose when the names of various editors of the document were found hidden inside the file. Ultimately, the roles of these four individuals were called into question in connection with doubts about the quality of British intelligence before the second Iraq war (see www.computerbytesman.com/privacy/blair.htm).

CASE STUDY #53: in the late 1990s, Kenneth Starr issued a report in WordPerfect format about US President Bill Clinton's involvement with White House intern Monica Lewinsky. Quirks in the format conversion process brought to light footnotes in the report that ostensibly had been deleted (see http://catless.ncl.ac.uk/Risks/19.97.html#subj3).