Configuration data stored in discarded devices can put companies at risk for cyberattacks or data breaches. | Gmx Pixel/Shutterstock[/caption]
Security software company ESET bought 16 used routers. Nine still held sensitive corporate data on them.
The company recently issued a press release highlighting the results of its research project, which found that over half of the networking devices it purchased on the secondary market hadn't been wiped properly and still held sensitive data that could enable cyberattacks leading to data breaches.
"The potential impact of our findings is extremely concerning and should be a wake-up call," Cameron Camp, the ESET security researcher who led the project, stated in a press release. "We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers."
The company noted that, of the networks with complete configuration data on them, all contained enough information to identify the former owner/operator, and all still held one or more IPsec or VPN credentials or hashed root passwords.
Some still contained other categories of sensitive data. For example, 22% had customer data, and one-third had enough information to allow third-party connections to the network.
[caption id="attachment_21697" align="aligncenter" width="900"] Configuration data stored in discarded devices can put companies at risk for cyberattacks or data breaches. | Gmx Pixel/Shutterstock[/caption]
Security software company ESET bought 16 used routers. Nine still held sensitive corporate data on them.
The company recently issued a press release highlighting the results of its research project, which found that over half of the networking devices it purchased on the secondary market hadn't been wiped properly and still held sensitive data that could enable cyberattacks leading to data breaches.
"The potential impact of our findings is extremely concerning and should be a wake-up call," Cameron Camp, the ESET security researcher who led the project, stated in a press release. "We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers."
The company noted that, of the networks with complete configuration data on them, all contained enough information to identify the former owner/operator, and all still held one or more IPsec or VPN credentials or hashed root passwords.
Some still contained other categories of sensitive data. For example, 22% had customer data, and one-third had enough information to allow third-party connections to the network.
Configuration data stored in discarded devices can put companies at risk for cyberattacks or data breaches. | Gmx Pixel/Shutterstock[/caption]
Security software company ESET bought 16 used routers. Nine still held sensitive corporate data on them.
The company recently issued a press release highlighting the results of its research project, which found that over half of the networking devices it purchased on the secondary market hadn't been wiped properly and still held sensitive data that could enable cyberattacks leading to data breaches.
"The potential impact of our findings is extremely concerning and should be a wake-up call," Cameron Camp, the ESET security researcher who led the project, stated in a press release. "We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers."
The company noted that, of the networks with complete configuration data on them, all contained enough information to identify the former owner/operator, and all still held one or more IPsec or VPN credentials or hashed root passwords.
Some still contained other categories of sensitive data. For example, 22% had customer data, and one-third had enough information to allow third-party connections to the network.
Categories