Security software company ESET bought 16 used routers. Nine still held sensitive corporate data on them.
The company recently issued a press release highlighting the results of its research project, which found that over half of the networking devices it purchased on the secondary market hadn’t been wiped properly and still held sensitive data that could enable cyberattacks leading to data breaches.
“The potential impact of our findings is extremely concerning and should be a wake-up call,” Cameron Camp, the ESET security researcher who led the project, stated in a press release. “We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers.”
The company noted that, of the networks with complete configuration data on them, all contained enough information to identify the former owner/operator, and all still held one or more IPsec or VPN credentials or hashed root passwords.
Some still contained other categories of sensitive data. For example, 22% had customer data, and one-third had enough information to allow third-party connections to the network.
Who is affected
The devices came from data centers, law firms, third-party tech providers, manufacturing and tech companies, creative firms and software developers, according to the release. Where possible, ESET contacted those companies.
“Some of the organizations with compromised information were shockingly unresponsive to ESET’s repeated attempts to connect, while others showed proficiency, handling the event as a full-blown security breach,” the release notes.
In the past, other organizations have run research projects like this and have also reported finding residual data. In 2019, a consultant working for data security software company Rapid7 purchased dozens of devices from stores near his Wisconsin home and reported finding sensitive data on almost all of them.
Additionally, the National Association of Information Destruction (NAID) ran a research trial in 2017 in which the organization bought used electronics on the internet and then combed through them for residual data, finding ample amounts of personally identifiable information.
