Hundreds of Dutch medical records bought for pocket change at flea market Typically shoppers can expect to find tie-dye t-shirts, broken lamps and old disco records at flea markets, now it seems storage drives filled with huge volumes of sensitive data can be added to that list. Robert Polet, a 62-year-old techie and apparent bargain hunter from Breda, a city in the southern part of the Netherlands …
It depends on the jurisdiction. IANAL but as I understand it in the UK a limited company protects the directors and shareholders from financial liability, but not liability for dodgy behaviour. In France I believe it is the other way around. In NL, I dunno.
There's BV and NV and I don't see either attached to the company name.
https://www.startingabusinessnl.com/starting-a-bv/about-a-bv/differences-bv-nv/
Also a BV gives more flexibility in arranging the articles of association. For instance, the articles of association of a BV can determine that the shareholders can be held liable for the debts of the BV. The articles of association can also restrict the transferability of the shares or determine that the issued shares do not have any voting rights or profit rights.
Shareholders are financially protected. Directors vastly less so.
On paper anyway
Dodgy behaviour includes quite a number of (unlawful) practices that have become normalised over the last 3 decades of tory(*) "light touch" regulation and holding directors responsible usually gets met with handwaving about it bring "too hard"
The effective result is that it's become a Wild Wild West that's only just starting to be reined in by regulators who've been systematically short-funded for decades as a deliberate ploy to keep them toothless
(*) Both the Thatcher type and the Blair type.
YMMV in other countries. USA is arguably much worse whilst Germany much better
As the company no longer exists no action can be brought against them
As they were not a medical company, but a software company, the medical data must have come from somewhere else. It's possible the "somewhere else" might be responsible, It's also possible, if the defunct company had been entrusted with secure erasure, that the liquidators might be responsible if these were treated as valueless assets to be casually disposed of. But I suspect the expenditure of effort to assess any potential liability might be seen as burdensome by the regulator.
One of my clients got into a business that transitions seniors to new housing and handles the disposal of estates. I've wound up as their "computer guy" that can go through the drives and pull out anything that the family may want or need and then securely wipe the drives. In practice, the securely part is reformatting them and using them myself for backups. If the computer will be refurbished, I'll be more thorough. My pay is all of the used computer gear I want. Anything that's still moderately useful get a fresh OS install, some open source apps and winds up available to anybody that has a need, but doesn't have the money. The local churches and schools always seem to know somebody that can use one. My schedule is so erratic that it's hard to commit to volunteering somewhere, but this I can do.
A few years back, a friend of mine died. I volunteered to help his widow clear out his hoard of, well, everything, really. We had a decent wake in my shed during which we recommissioned a couple of motorbikes he'd owned for decades, which I'm sure he would have enjoyed.
Anyway, after that, I started in on his hoard of computer gear. He'd spent about four decades tinkering with his own computers, and supporting a couple of small organisations and his entire extended family. And he'd never thrown anything away. There were several rooms and a decently large shed packed with bits of old computers, including every hard disk and memory stick he'd every used, replaced, or stored. Some were dated, including 5.25" SCSI units from 1984.
I bought two large car-loads back home and spent a very therapeutic couple of weeks recovering what data I could, which all fitted onto a single modern hard disk, then introducing the disks to a pillar drill and sledgehammer before dropping the remains off at the tip.
GJC
Maybe they hosted non cloudy sites / APIs to access such data and so data was stored with them?
Maybe they converted data from one format to another / extracted subsets of data for customers?
etc..
I can think of lots of reasons they may have the data, but not any reasons for it not being deleted as soon as not required as per GDPR.
No doubt people had been assured their data were safe. If anybody is brought to book then an official statement will be 'lessons have been learned' (in Dutch). And when the next sorry loss of personal information is carelessly treated we will hear the same excuses. Any failsafe protection protocols are dependent upon the humans who run them, and humans are lazy, feckless and untrustworthy.
I have e-wasted many computers over the years, but none contained a hard drive. Those are all pulled, set on a bench, and destroyed from 100 yards away. A well placed .308 will go right through, but a .22lr will just dent it drive.
Totally legit. Physical destruction of the storage media is just as acceptable as making multiple passes, writing ones & zeros to meet DoD 5220.22-M.
Cheaper too. And when done in quantity it can be an IT team building exercise....though the BOFH may debate whether it should be held off-site or not.
I take it you're in the US, as finding a firearm in the UK to carry out such destruction would be nigh-on impossible (and quite rightly, in my opinion). Although it does sound like a good way to let off steam. I would argue that a pickaxe/sledgehammer would likely work as well and be even cheaper.
As for that DoD nonsense – I would argue that unless the person trying to get your data has the resources of a national government and the motivation of that idiot looking to buy a landfill site, simply overwriting with a single pass of zeros would do it.
>as finding a firearm in the UK to carry out such destruction would be nigh-on impossible
Even in the UK you could find someone with a powerful enough rifle without much difficulty, although the UK challenge is shooting the HDDs without getting arrested.
>has the resources of a national government and the motivation of that idiot looking to buy a landfill site, simply overwriting with a single pass of zeros would do it.
A single pass of zeros will render the data on any modern HDD unreadable, considering that the data from a single modern platter with a single pass of 0 has never been recovered.
A requirement for multiple random passes makes it inconvenient to format a drive and the end result of that is drives getting dumped without even a filesystem delete.
There may be several "sports" shooters around, but I don't know any. Hence, finding one would be, for me, extremely difficult. I'm hardly likely to be well received just rocking up at a rifle range and asking to borrow a gun to shoot up some shit like Elvis with a TV. Bearing in mind I'm comparing this to the US, where you get a free handgun with every packet of cornflakes.
Okay, tell me how to go about it. I personally know nobody with any kind of firearm (unless they're keeping very quiet about it). Do I just start knocking on random doors and asking...?
Just for fun, let's see how that would go in the UK. There were 147,140 holders of firearm certificates in 2023 (excluding shotguns, which wouldn't be great for destroying a hard drive). There were approximately 28.4 million households in the United Kingdom in 2023. Back of the envelope, ignoring various second-order things that probably largely cancel out, This gives me a chance of slightly better than 1 in 200 for every door I knock on. I suspect that I'd be having words with a friendly officer before I'd got to a dozen.
I concede that, as a nation with more guns than people, the whole "shooting your hard drive" thing would be a lot easier in the US.
"considering that the data from a single modern platter with a single pass of 0 has never been recovered"
DOD erase and all the other multiple pass processes was described by Peter Guttman as "unncessary voodoo" in 1995. All of those processes assume 1970s-era hard drives with very low track/bit density and low levels of head absolute positioning repeatability.
Voice coil hard drives with a servo track have absolute repeatability down to low enough tolerances that there has been essentially no "track slop" for 30+ years (when was the last time you purchased a new drive that used stepper motors to position the heads?)
if you need the data, the Center for Memory and Recording Research at UC San Diego did it all.
They proved unless you can move the heads of the centre of the track, multiple overwrites make no difference.
They also developed an OS tool to trigger the secure erase unit command
"I would argue that a pickaxe/sledgehammer would likely work as well and be even cheaper."
This is an area I looked into quite heavily a while back as I had _thousands_ of old drives to deal with and secure erase really isn't worth the time for old drives if you can just render them unusable(*)
The best (aka most cost effective) solution I found was a device which would snap the drive in 2 lengthways, bending the platters and rendering them useless - anyone who wants to quote Peter Gutmann's atomic microscopy work should be aware of his followup paper where he was unable to replicate the results on 100MB "modern" drives let alone anything larger (the original tests were on 5 & 10MB stepper motor drives) - and as he also pointed out, when you're looking for 1Mb of data (about the practical maximum using atmoic microscopy) on a 10Gb drive, the odds are very much against you
That said, these solutions weren't cheap. A basic disk shredder was $10-20k and the drive breaker was $5k - more if you want ones which don't need to be hand-fed individual drives
Secure erase is time consuming, but repurposing an old 16-24 bay supermicro chassis and some suitably crafted scripts makes it "setup and walk away". Pillar drills (drill presss for American/Australian/Kiwi readers) are time consuming and messy
HOWEVER: a 10-ton hydraulic bearing press (as used in automotive workshops) along with a few suitable chunks of steel used as anvils is _very_ cheap, relatively quick and suitable for small volumes of permanent disk destruction (I wouldn't use a hand pumped version for more than 10-20 drives, but the air driven ones can get you down to 20 seconds per drive with no secure erase needed)
My overall preferred solution for more than 100 drives is this:
There are several companies which offer onsite disk (and tape cartridge) shredding for quite reasonable prices (you can witness the mayhem and sign off on it) however my last employer absolutely refused to contemplate using these, preferring instead that I put hundreds of manhours into developing a secure erase process which still left us with mountains of small or worn out drives to get rid of
In the 80s I was scavenging furniture from a local "donated used furniture for free" type place, and came upon several entire filing cabinets filled with medical records from the local world-famous hospital. Ob-gyn department, no less. I tried to blow the whistle anonymously to local newspapers, providing samples, but nothing happened, because I'm not in the habit of buying full page ads every week. Thus my anonymous posting, I still need to work in this town.
Then lightning strikes again, ten years later, when I'm walking through a parking lot on a windy day when overflowing wastepaper from a nearby dumpster blew over and wrapped itself around my leg. Medical records from a local private practice, which I found were overflowing the dumpster and blowing around. Again the anonymous whistle blowing with samples, again nothing.
My opinion: if medical personnel will randomly dump actual paper copies of medical records into insecure public trash, they will sure as heck not bother to wipe the hard drives they get rid of.
Tangent note: in the 90s I was at a conference on the then still futuristic concept of electronic medical records. One speaker recounted how, when he was trying to sell a hospital on his product, and someone brought up "what about security from hackers?" he would call for a 15 minute break in the presentation; after which he would return to the podium, with a fistful of paper patient charts he had just grabbed from the nearest nurses' station when nobody was looking.
> My opinion: if medical personnel will randomly dump actual paper copies of medical records into insecure public trash, they will sure as heck not bother to wipe the hard drives they get rid of.
In general many/most people see following documented/required procedures as annoying and will find easier ways to do things.
I had the situation where a central Northern Ireland health service agency sent an email with some of my health-related personal data attached which was encrypted (that's good!) to my GP Practice via email. However the same person then sent the decryption password via a 2nd email to the GP Practice less than 1 minute after they sent the 1st email (WTF!). The same agency (same person I assume) then did exactly the same thing again about 1 week later.
These were clear breaches of the agency's security policy which stated that decryption passwords must be sent via a different means (i.e. phone call, SMS, etc) than encrypted data.
The ICO case officer who looked into this (as part of a large data protection complaint I raised) decided that the only action to be taken was that the agency should create a security policy to forbid such actions (despite the agency *already* having such a policy, a copy of which I had provided to the ICO as part of the original complaint)...
"At one point my employer went through everybody's PCs and encrypted the hard drives, IIRC."
If it isn't necessary, the downsides are problematic. Businesses would need a very robust way to escrow keys since somebody leaving could be a huge problem if there's no way to access the data on their computer.
This is not hard! If you are in this profession and you think it is, maybe find a different one!
The only issue is, if those responsible for the computers decommission a computer and remove it from the system that managed the keys (e.g Active Directory), you cannot revive the data, sorry, suck to be you!
A microSD with NASA unreleased (at the time) data on it.
Did the 'right thing' and contacted them, eventually the page it linked to (28C1Chksum) was taken down.
Later on found out that someone had downloaded it to a card for 'research' and evidently messed up, the card had
locked itself and couldn't be erased.
Oddly enough it read as all zeros on my other card reader so it was half working.
I experimented with erasng cards with this fault, turns out that it is quite feasible but the method isn't well known.
Let me guess: It requires SDI bit banging?
I have a few such SDs (including some from "reputable" makers which failed this way after only a few weeks/hundred Mb - no they aren't fakes)
The hardest part about dealing with this kind of issue is finding a SDcard reader which offers this level of assess. The alternative is dedicating a RasPi or similar to the job - AFTER working out how to make it boot from something other than the SDcard (for obvious reasons)
...used to be based in Breda before going out of business.
Company goes bust, receivers flog off any assets, creditors and shareholders get almost bugger all back. There usually isn't much by way of handover of the assets concerned and the process tends to be along the lines of "auction it off and ignore any objections".
Looks like there may be a bankruptcy shaped loophole in the legislation governing data destruction.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
