The problem that the HDD of Kanagawa prefectural government, which is reported to be the “world's worst” personal information leak, was resold to an auction site without completely erasing the data. Brow Drink, who was commissioned by Fujitsu Leasing to completely erase HDDs and employees who stole HDDs, held a press conference in Tokyo to explain the security system that became a problem and measures to prevent recurrence in the future. .
This is the background of the incident. It was discovered on November 27 that the company had been commissioned to erase completely from Fujitsu Leasing and was taken outside and resold to an auction site. An employee was identified through an internal survey and asked the person himself. As a result, HDDs etc. before erasing data were taken out of the company and resold. As a result, on December 6, the company dismissed the employee. On the same day, we report to the Omori Police Station in Kanagawa Prefecture and submit a damage report.
The company took the following seven security measures:
1. Management of data entry / exit by fingerprint authentication and card authentication
2. Record who entered and exited from which door at what time and in minutes as log data
3. 24-hour monitoring cameras installed at various locations
4. Barcode is attached to all purchased PCs and traces from arrival to data deletion
5. Baggage inspection will be conducted to prevent items from being taken out of the data erasing work room
6. Buzzer sounds when the data erasing work room door is left open for 1 minute
7. Theft-prevention system, such as sewing a pocket on the uniform when entering the room
The company used the following three data erasing methods for HDDs.
1. Physical destruction by drilling holes at 4 points
2. Instantaneous irradiation of magnetism destroys data
3. Write random numbers using dedicated software and erase in software
In addition, as an option, we also provide a service that allows customers to go to the site they want to destroy the HDD or erase / destroy the HDD in front of the customer. If the customer asked for evidence of data erasure, they also provided an optional erasure certificate. In this contract with Fujitsu Leasing, there was no contract to send a certificate of data erasure completion.
Two administrative issues
Why did employees allow HDD theft while taking the above security measures? According to the company, there were two administrative issues:
1. HDD number management was insufficient
The company managed the number of HDDs when it was removed from a PC. On the other hand, multiple HDDs that were extracted were being destroyed together, neglecting to match the number before and after destruction.
2. Baggage inspection was insufficient
The company conducted a baggage inspection when entering and leaving the data erasure room, but this was not always the case. In particular, full-time employees rotate shifts in units of 24 hours, and due to irregular work systems, baggage inspection has become a form.
Prevention of recurrence: Introducing a metal detection gate at the airport
The company presented the following two measures to prevent recurrence in the future.
1. Due to insufficient management of the number of HDDs, the number of HDDs will be matched before and after destruction. In addition, all the photos after destruction and before destruction will be submitted to customers who requested all HDD data deletion. This is already done.
2. During the operation hours, all physical checks and baggage inspections using handy metal detectors will be conducted in all data entry / exit rooms. This is a policy to transfer security guards to inspection work as soon as preparation is completed.
In the future, a large metal detection gate at the airport will be introduced. He explained that he would work to secure security and restore trust.
[Image credit: Getty Images]