Data protection is a hot topic worldwide, and it seems as though news headlines can only go days at a time before details of some kind of leak or breach crops up. When it comes to data management, legislative and regulatory requirements are increasing; but does your business do what it should to ensure the complete destruction of data when the time comes? Read on to check up and learn more.
The Misconception of ‘Delete = Gone’
All too often, organizations believe that deleting files from the desktop then emptying a device’s ‘recycling bin’ permanently removes data from their machines. Those not quite so naïve may even move to format a drive to remove information, but still – this is inadequate.
The reality is that most deletion methods of data simply remove the pointers to the data as opposed to the actual data itself. This means that it can be recovered if a device operator knows how – and frequently, when devices have been resold, recycled or discarded after they reach the end of their life for an organization, any sensitive information that they have held can be accessed.
In one widely cited study, Blancco Technology Group, a security firm with whom Procurri worked, sent researchers to buy used hard drives and SSDs from online marketplaces and electronics recyclers. Despite most being described as having had their data wiped before the point of sale, many still contained information – and when recovered, it was discovered that accessible data included employee records, internal company documents, and personal photos.
A separate study conducted by researchers at the University of Hertfordshire in the UK accessed used hard drives that included information such as uncovered medical records, financial spreadsheets, and login credentials left behind by previous owners.
Of course, the improper wiping of sensitive data can have devastating consequences for businesses, who have legal and moral obligations to ensure it is no longer accessible.
What Actually Happens When You Delete Data
The technical basics of hitting ‘delete’ on a file means typically only that the storage space is marked as available. The underlying data remains in place until it is overwritten by anything new. With recovery tools, deleted files can often be restored in minutes.
Each storage type handles deletion differently because of how the underlying storage technology manages data blocks.
Deleting Data on HDDs
Conventional Hard Disk Drives store data magnetically on spinning platters. When a file is deleted from a HDD, the file system removes the reference to the file; but the actual data remains in place until it is overwritten by new data.
This means that the simple deletion of data or formatting of HDDs is not sufficient. Instead, secure overwriting of the data or actual physical destruction of the drive is required.
Deleting Data on SSDs
Solid-State Drives store data in flash memory. This works slightly differently due to wear-levelling and ‘garbage collection’ methods. When a file is deleted, the operating system (OS) marks the block as unused. The SSD controller may later clear it using background processes. However, because of wear-levelling, data can persist in hidden memory cells that are not easily overwritten by standard wiping tools.
The implication of this for SSDs is that often specialised erasure commands or cryptographic data erasure is the only way to wholly guarantee data is destroyed beyond recovery.
Deleting Data on Mobile Devices
Most mobile devices such as smartphones and tablets use flash storage similar to SSDs, but with additional layers of encryption and OS protections included. For devices running Android or iOS as their OS, deleting files usually removes the references to that data in the file system. Then, device-level encryption is laid over the data block – so a full device factory reset is often the only way to delete the encryption keys.
If the device-level encryption is properly implemented, destroying the encryption keys through a factory reset can render data unreadable. However, if a device is misconfigured or a reset incomplete, data may still be recoverable.
Deleting Data on Servers and Enterprise Storage Arrays
Enterprise systems such as SAN (Storage Area Network) and NAS (Network Attached Storage) environments add a further layer of complexity. When data is deleted, files frequently still exist in snapshots, backups, or replicated volumes – and in virtual environments, data may be left in virtual disks or decommissioned storage pools. Storage systems often use deduplication and thin provisioning, which can leave fragments across multiple disks.
The implication of the files existing in more than one location requires that data sanitisation must account for all copies, snapshots, and replicas, and not just the primary storage location.
The Risks of Insufficient Data Removal
Failing to properly remove data from IT equipment can expose businesses to significant operational and security risks. Often, such risks occur at the point of hardware being retired and handed over to a third party for ITAD processing.
The most immediate risk is the exposure of confidential and/or sensitive information; which can have severe legal consequences for the business responsible for removing the data. Personal information leaking can lead to security issues and will breach compliance regulations such as the Data Protection Act and the UK GDPR (General Data Protection Regulations).
From a business perspective, sensitive information such as research, strategies or designs could also be risky if accessed, as the leakage of intellectual property could put them in a compromising position with competitors. Logon credentials and internal system information also may be present, which could give anyone accessing it maliciously a pathway into corporate systems.
Any leaked information as a result of improper data removal can have vast onward financial and reputational consequences. Regulatory fines and costly legal action can run up into the millions, and the loss of consumer trust can be immeasurably damaging.
What Secure Data Destruction Looks Like
Procurri is a secure ITAD provider and offers a variety of data destruction methods that guarantee entire removal of any data stored on devices processed. These include:
Data Erasure
Data Erasure is a software-based process that overwrites existing data with new patterns of information such as random 0s and 1s. This ensures that the original data cannot be recovered while allowing the hardware to be safely reused or resold. Once completed, the process is verified and a certificate of data sanitisation can be issued as proof that the device is free of data.
Degaussing
This technique exposes magnetic storage devices such as hard disk drives to a powerful magnetic field, which permanently removes the stored data by disrupting the magnetic patterns on the disk. After degaussing, the drive becomes unusable, ensuring the information cannot be retrieved.
Data Masking
In some cases, additional techniques such as data masking may also be used to further protect sensitive information. This approach encrypts or alters data structures so that the original information can no longer be accessed or reconstructed.
Physical Device Destruction
Where the utmost in security is required or the device is beyond reuse or recycle, Procurri offers physical device destruction. This includes industrial shredding, crushing, or bending of storage devices to ensure that the hardware and the data stored on it are completely destroyed and unrecoverable. Physical destruction is typically used for end-of-life equipment or highly sensitive storage media.
Procurri’s Data Destruction Credentials
At Procurri, we’re proud that our ITAD services are supported by a range of recognised industry certifications and standards that demonstrate its commitment to secure, compliant, and auditable data destruction. These credentials help ensure that organisations can safely retire IT assets while protecting sensitive information and meeting regulatory obligations – and rest assured that all data is guaranteed to be wholly removed.
Our internationally recognised management and security certifications include ISO 27001 for information security management, ISO 9001 for quality management, and ISO 14001 for environmental management. These certifications reflect the company’s adherence to strict operational, security, and sustainability standards across all ITAD processes.
In addition, the Procurri facilities and services are certified by the Asset Disposal and Information Security Alliance (ADISA), which sets rigorous standards for secure IT asset recovery and data sanitisation. ADISA certification requires independent audits and forensic testing to verify that data destruction processes effectively prevent data recovery.
Furthermore, we also follow recognised data sanitisation frameworks such as NIST SP 800-88 Guidelines for Media Sanitization, HMG Infosec Standard 5, and National Association for Information Destruction (NAID) AAA Standard, ensuring that all data erasure and destruction methods meet globally accepted security benchmarks.
Procurri facilities use certified erasure technology from Blancco, a widely recognised provider of secure data erasure software. This enables high-volume data sanitisation with verifiable reports and certificates of destruction for every processed asset; and Blancco rates us as a Gold status level provider.
Together, these credentials provide customers with assurance that Procurri’s ITAD services deliver secure, compliant, and fully traceable data destruction throughout the asset disposal process. Want to ensure your data is properly deleted? Get in touch with our team today and let’s talk ITAD!
