As a follow up to my initial blog posting back in September of last year titled “The Data You Left Behind!” I am extremely excited to write about some of the reactions and changes this little research project has had.
A few weeks ago the Vice President of Unclaimed Baggage reached out to us about my research and the blog posting. Unfortunately I was tied up at the time of his call so I learned about it by listening to my voicemail. My initial reaction when I saw who the call was from was, “Oh great just what I need right now!” I expected the voicemail to be some sort of angry message with possible threatening implications, but much to my surprise it was a pleasant message. If you have ever done any security research or disclosed a vulnerability before you probably know first hand how rare it is for someone involved with the project to be pleasant!
The Vice President was intrigued by my project and was reaching out to me for more information. Long story short, our phone conversation was centered on our recommendations and how we could possibly help Unclaimed Baggage prevent this issue from occurring in the future. Much to my surprise the Vice President had already pulled all removable media from the shelves and was determined not to sell another storage media device until he was confident that Unclaimed Baggage was doing everything possible to prevent this from occurring again. We ended the call by scheduling an onsite meeting between his staff, himself, and me.
The onsite meeting was just as pleasant as the phone conversation. Much to my surprise Unclaimed Baggage was already taking several proactive measures to prevent this sort of data loss. They were well aware of these types of threats and the importance of securely wiping storage media. Their current processes included securely wiping data on all hard drives to include those that were in laptops that they would then reload for resale. Not to get into too much detail, but their processes for securely wiping data on these hard drives far exceeded the DoD 5220.22-M data sanitization requirements. This alone was extremely surprising to me, as I would have never thought a small business in which media storage devices probably makes up less than one percent of their overall retail sales would take protecting other peoples data so seriously.
The Unclaimed Baggage IT staff also brought to light other devices they were securely wiping data from for which I had not initially considered. These devices included gaming systems (portable and consoles), mobile phones, all sorts of mobile devices like tablets and even media readers like the Kindle and Nook. These devices are a major part of most of our daily lives and the amount of sensitive information we store on these devices is probably well beyond our initial assumptions, so hearing that the Unclaimed Baggage staff were already proactively addressing these devices was extremely refreshing!
Why is this so refreshing and exciting to me? Well the answer is simple, in a majority of my past research projects and vulnerability disclosures the parties involved didn’t have the same openness or enthusiasm as the folks at Unclaimed Baggage did. Unclaimed Baggage is a great example of how companies both large and small should react to research and projects of this nature. I am also super excited to know that Unclaimed Baggage cares so greatly about not only their customers, but those people that have to deal with the fact that they have lost their treasured items. Unclaimed Baggage demonstrates this care by taking such a proactive approach to ensuring that your “Unclaimed Baggage doesn’t Imply Unclaimed Data!”