If you’re not careful when decommissioning your old business routers (opens in new tab), you could be risking serious sensitive data leaks, new research has warned.
A report from ESET found small and medium-sized organizations, as well as enterprises, often dispose of their old hardware inappropriately. As a result, they leak customer data, credentials, and various other authentication keys.
The company analyzed 16 distinct network devices that were disposed of and sold on the second-hand market and found nine devices – 56% – were still holding sensitive company data.
Passwords on a platter
Of the nine devices that had complete configuration data available, a quarter (22%) contained customer data, a third (33%) exposed data allowing third-party connections to the network, almost half (44%) had credentials for connecting to other networks as a trusted party, almost all (89%) itemized connection details for specific applications and contained router-to-router authentication keys.
Furthermore, all of the devices (100%) contained one or more of IPsec or VPN credentials, or hashed root passwords, and had sufficient data to reliably identify the former owner/operator.
ESET also found that some companies didn’t really care about leaking sensitive data this way. After “repeated attempts to connect” and notify the firms of the potential problem, some companies were “shockingly unresponsive”. Others, however, “showed proficiency” and handled the problem as a “full-blown security breach”.
These findings should serve as a “wake-up call” for organizations to tighten up on their data protection practices, ESET says.
“We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite,” noted Cameron Camp, the ESET security researcher who led the project.
“Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers.”