US missile data found on eBay hard drive

The launch procedures for a US military missile air defence system were found on a second-hand hard drive bought on eBay, researchers revealed today.

More than 300 hard disks were studied and researchers uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and Australia through computer auctions, computer fairs and eBay.

The exercise was carried out by BT's Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.

A spokesman for BT said they found 34% of the hard disks scrutinised contained "information of either personal data that could be identified to an individual or commercial data identifying a company or organisation."

The researchers concluded that a "surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved was recovered as a result of the survey."

Perhaps most surprising was the discovery of a disk bought on eBay that revealed details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system, used to shoot down Scud missiles in Iraq.

The disk also contained security policies, blueprints of facilities and personal information on employees including social security numbers, belonging to technology company Lockheed Martin - who designed and built the system.

Two disks appear to have been formerly used by Lanarkshire NHS Trust to hold information from the Monklands and Hairmyres hospitals including patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.

In Australia, one disk came from a nursing home and contained pictures of patients and their wounds.

Confidential material including network data and security logs from the German Embassy in Paris were also discovered on a disk from France.

Other information uncovered included the trading performances and budgets of a UK-based fashion company, corporate data from a major motor manufacturing company and the details of a proposed 50 billion currency exchange through Spain involving a US-based consultant.

Dr Andy Jones, head of information security research at BT, who led the survey, said: "This is the fourth time we have carried out this research and it is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.

"For a very large proportion of the disks we looked at we found enough information to expose both individuals and companies to a range of potential crimes such as fraud, blackmail and identity theft.

"Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly."

Dr Iain Sutherland of the University of Glamorgan said: "Of significant concern is the number of large organisations that are still not disposing of confidential information in a secure manner. In the current financial climate they risk losing highly valuable propriety data."