Storage

Lock IT Down: Consider security before returning a failed hard drive

Dont forget about the data on your hard drive before sending it back to be fixed


Replacing a failed hard drive that’s still under warranty is usually a simple process. You call the manufacturer, request a new drive, and return the old unit. When security is a concern, however, things are a bit more complicated as dead hard drives have a habit of coming back to life. This article recounts a situation when security called for a slightly different approach for returning a defective drive.

How it all started
I received an urgent support call to inspect a failed IBM RS/6000 midrange server. An immediate site visit by my technician revealed that the server’s single hard drive had failed. According to the tech, it had “overheated and been fried.” Since the hard drive was still under warranty, we requested a replacement from IBM. We installed the new hard drive, restored the data, and were up and running in no time.

Returning the failed drive
The drive’s replacement-under-warranty program called for defective devices to be returned to the manufacturer. As such, IBM wanted their old hard disk back. This is when the problems began.

In this case, the failed hard drive came from the local police department. As you can imagine, highly confidential information tends to be stored on hard drives used by the police, FBI, CIA, and so on. As such, returning hard drives from such organizations is not a simple procedure.

I was soon stuck between three departments, each with their own agenda and concerns.
  1. IBM’s customer service department: They wanted their old hard drive back under the terms of the support agreement, period! Otherwise, they would proceed to bill us for the new hard drive.
  2. The police department: They did not want to give up their old hard drive, period! They offered to pay for the new hard drive so they could keep the old one.
  3. The city council: They would not approve the funds to pay for a new hard drive to replace one that was under warranty, period! The council feared such action would create a precedent other city departments could use to request funds for items under warranty.

After lengthy discussions, the police department and city council finally agreed to turn the failed drive over to me and allow its return. I was, however, required to write a formal Letter of Assurance to both the council and the police, giving my assurance that the old hard drive was indeed useless and that no confidential information could ever be recovered from it.

I do not know about you, but this letter was a rather tall order. After all, can we ever be sure that a failed hard drive is indeed immune to all data recovery efforts? Writing such a letter was like placing my neck on the block, and I needed more information before giving such assurances.

So what happens to dead hard drives?
I asked around a little to see where defective hard drives end up. The following list came from my own experience as an IT manager at a nonprofit college, two friends in the IT support field, and an IBM sales representative. It seems that manufacturers tend to collect failed hard drives and do any of the following:
  • Sell them to a recycling distributor via auctions.
  • Donate them to schools as tax write-offs.
  • Give them to their internal research teams for testing.

These all seemed quite harmless to me except for the fact that many hard drives simply disappear for lack of proper tracking. It was this disappearance that had me worried.

A solution presents itself
I don’t know exactly what got into me, but an idea suddenly popped into my head. I called the police chief and asked if I could have his approval to visit the police firing range with the hard drive. After a few seconds of silence, he laughed. I added that if I could get IBM to accept a bullet-ridden hard drive, all would be well. I got his approval.

I then called IBM. I asked them to accept a challenge. I would return a hard drive that was so badly damaged that all of IBM’s data recovery efforts would be futile. I got their approval.

With that, I watched our police officers use the hard drive as target practice. Ever seen a hard drive pounded by a machine gun? It’s a scream. I then returned the mangled hard drive to IBM and have not heard about any data being recovered.

Think before you act
When you are about to return a defective hard drive, think twice. Your career might be on the line. Mine was. Give security a thought.

Share your creative solutions
If you have an innovative technique for solving a difficult problem, we want to hear about it. What do you think of Kyu’s solution? Post a comment or write to Kyu Rhee and share your thoughts and experiences.

 

Editor's Picks