Illegal e-waste dumped in Ghana includes unencrypted hard drives full of US security secrets

The much-vaunted anti-terror eagles at the TSA have subcontractors whose hard-drives turn up in Ghanain junk-markets in heaps of illegally disposed-of e-waste. The drives are stuffed full of unencrypted, sensitive documents:
A team of journalists investigating the global electronic waste business has unearthed a security problem too. In a Ghana market, they bought a computer hard drive containing sensitive documents belonging to U.S. government contractor Northrop Grumman.

The drive had belonged to a Fairfax, Virginia, employee who still works for the company and contained "hundreds and hundreds of documents about government contracts," said Peter Klein, an associate professor with the University of British Columbia, who led the investigation for the Public Broadcasting Service show Frontline. He would not disclose details of the documents, but he said that they were marked "competitive sensitive" and covered company contracts with the Defense Intelligence Agency, the National Aeronautics and Space Administration and the Transportation Security Agency.

The data was unencrypted, Klein said in an interview. The cost? US$40..."It was a wonderful, ironic twist," Klein said. "Here were these contracts being awarded based on their ability to keep the data safe."

Off-camera, sources in Ghana told the reporters that data thieves routinely scour these hard drives for sensitive information, Klein said.

Reporters find Northrop Grumman data in Ghana market (via /.)


  1. yikes! I have a friend who worked for them, but they were bought out by another company. I imagine there are actually a lot of leaks this way.

  2. Well, security was yesterday’s gold rush. Today, these businesses are probably chasing ‘green’ contracts. These businesses were just playing a part in US Security Theaterâ„¢. Gotta get paid, y’know!

  3. This story appeared on Frontline/World earlier this week. Frontline/World is a fantastic documentary series – highly recommended for your Tivo Season Pass list.

  4. Degauss, drill and BFH (big frigging hammer, or give ’em to me I kill hard drives just by being near them.

    War on terror = war on braainz.

  5. Simply wiping the disk would work. I had to do this at a couple of my employers. I recommend not destroying a perfectly good disks, as people like me and apparently Ghanans, can make good use of an old hard disk.

    Where else am I going to get refrigerator magnets?

  6. Wiping the disk doesn’t remove the data. It just makes it harder (read more expensive) to retrieve.

    The ‘standard’ for wiping data is to over write the disk multiple times using alternating data patterns. Until not so long ago, seven passes were thought sufficient, based on the way flight recorders can give up 7 separate ‘recordings’ from its loop of metal wire which serves as the internal recording media,.

    Forensic software, designed to be used by police or governments, but freely available to whoever can afford it, has upped the acceptable limit to 20 or so passes. However the longer something is kept on magnetic media the harder it will be to remove completely, where there can be a ‘screen burn’ effect. Thus it’s possible to examine magnetic media with electron microscopes to determine patterning of the magnetising agent.

    The question you have to ask yourself is how badly would someone want anything you might have stored on your hd.

    If you’re a defence contractor, then the physical destruction of the media makes a lot of sense.

  7. Gotta get paid, y’know!



    Lisa, if you don’t like your job, you don’t strike. You just go in every day and do it really half-assed. That’s the American way.”

  8. Redundancy will get you no matter what. That’s how they got the nazis.
    They kept records of everything, meticulously.

    Every day, big containers with thousands and thousands of old computers are being shipped to low-cost nations to be dismantled and disposed of.

    That’s because some private company said they could dispose of your old shit at a ridiculously low price, and now they’ve got the contract.

    They do not Degauss, drill, or anything else but ship it.

  9. Actually, Marcel, more and more organizations are requiring the waste processing contractors to shred the electronics prior to shipping. The military has changed its standards to where the material has to either be shredded before leaving the site or an employee has to witness the shredding before title passes to the disposal contractor.

    I think it’s a terrible idea. Yes, it solves the data leaks, but it wastes an incredible resource and adds immensely to the waste stream and energy usage. Why shred perfectly usable parts when it’s a tiny fraction of them that causes problems? Simply set an internal standard for separating the drives and sell them (and only them) on a must-shred contract. The data loss issue is solved while still preserving untold amounts of energy and preventing toxin releases.

    I guess the military has more reasons for the shredding, though; their problem was some unauthorized countries (i.e. Iran) were buying fighter parts through third parties that came from US military surplus. But it shouldn’t be too hard to restrict only those material classes that would represent a security problem.

  10. Anyone else think this would make a great plotline for a techno-thriller? Some massive wrongdoing by a US security agency, and this kid in Ghana has the only evidence. Now an international techno-game of techno-cat and techno-mouse ensues!

  11. Awesomes.

    Between the desire, And the spasm
    Between the potency, And the existence
    Between the essence, And the descent
    Falls the Shadow
    For Thine is the Kingdom

    For Thine is, Life is, For Thine is the

    This is the way the world ends
    This is the way the world ends
    This is the way the world ends
    Not with a bang but a whimper.

    Third world data mining, who’d a thunk it?

    Don’t worry, we’ll hurry up and close the barn door after the horses are out. All that shredding and ruination is “Too little, Too late”.

    Plus, if there was no verification that things were being wiped, who really thinks that the cut rate contractors will waste money on the energy to shred the stuff. Easier to palletize and sell, that way you get paid twice.

  12. CPU and server hard drives are only a small part of the picture.

    Printers/scanners/copiers – many have a 5gb to 20gb hard drive – containing the details of the last several hundred print/scan/copy runs.

    Cell phones, Blackberrys, PDAs all have a lot of personal data held on them. Even GPSs have your family and friends addresses.

    Routers, Switches? No company data but static IP addresses and other network data – helps open up your network to attack.

    Witnessed destruction – take your drives/equipment to an ewaste shredding company and watch them go into the shredder – sure it’ll cost you a few hundred bucks, but i bet Northrup wish they had done that rather than get back a few bucks by selling the equipment for “asset management” (read: Brand Destruction)

  13. From the article, it’s not clear that this is “US Security Secrets.” “Competition Sensitive” is not a US Govt. security marking, and more often than not covers pricing data, rather than technical data. Embarassing? Yes. Security leak? Not so clear.

  14. This is on top of a UK study undertaken recently where they bought second hand drives from eBay and looked at what was on them, one had launch codes for a US missile and had come from Lockheed Martin.

    Witnessed destruction is indeed the only way, send the newest tech down with them, pay the money, feel the comfort.

  15. Hey this could really be useful! Imagine if terrorist people “accidentally” had a PC whose HDD went its long way to Ghana!
    We could even prevent some future attacks if those secret plans got unveiled! I would even see this as a chance to prevent mischief…

Comments are closed.