Data breaches spark hard-drive shredding boom
- 11 September, 2008 11:50
Thanks to all the fear over data security breaches, a computer recycling operation has morphed into something much bigger - and potentially more lucrative - for the Saraiva brothers.
That's not to say the nature of their work has changed much. They still make money off of companies looking to unload devices that have outlived their usefulness. They still stuff the gadgetry into a shredder on the back of a truck that reduces it to shrapnel.
The difference is they're now part of the fight against data thieves.
Their company, Corporate Destruction Solutions, is rapidly expanding to accommodate organizations desperate to destroy old hard drives before they can fall into the hands of data thieves. And they're not alone. Several companies in the metal-shredding business confirm a surge in demand for their services in the wake of many highly-publicized data breaches.
"We've been focusing on hard-drive shredding for about a year and a half," says James Saraiva, who runs the business with his brother, Phil. "Before that it was all about recycling old computers." But one day a customer had trouble parting with the hard drives of those computers because a massive data breach had made the news. The brothers immediately saw the opportunity before them.
They recast the business as one specializing in the destruction of hard drives for the sake of keeping sensitive data out of sinister hands.
"When we started this there had only been a few data breaches," James Saraiva says. "As more and more breaches have made the news, this service has really taken off. Every time there's a data breach we get a lot of calls." One customer is a large retailer that suffered a massive security breach. Saraiva asked that the retailer not be named, as doing so could damage the business relationship.
The belly of the beast
The heart of Corporate Destruction Solutions is a blue beast of a machine that sits on the back of a small white truck James drives from one customer to the next.
After recording the hard drive serial number, he drops the small metal slabs into a slot atop the machine, and from a TV monitor he can watch the drives falling between steel grinders. Sparks erupt from the hard drives as they're torn to pieces. At the end of the process, all one can see on the monitor is smoke and tiny fragments of metal. The machine spits the remains into a bucket, and the shrapnel is then sent off for recycling. The customer then receives a certificate as proof that they had their hard drives destroyed.
The small white truck has been all over New England and beyond, making as many as 10 stops a day. Some customers only need a handful of drives destroyed, others unload thousands of them. Given the demand, the brothers may buy more trucks to accommodate the locals.
The customer pays about US$10 for each hard drive destroyed. The cost is worth it, James says, since the damage from a data breach can be $200 or so per compromised name [The Ponemon Institute most recently estimated the average cost at US$197 per compromised record].
A shredding sensation, across the nation
But the customer base has spread across the nation, requiring the Saraiva brothers to partner up with other shredding companies.
"If you can't cover the whole area - we have customers in California now - you enter into a partnership with similar companies," James says. "When we steer a customer toward a partner in another part of the country, we earn a commission."
So far there are two partners, but negotiations for more partners are underway, James says. The business consists of James, Phil and a secretary and they can manage up to 50 customers locally. But the partnerships have allowed them to expand the customer base into the hundreds.
The data breach epidemic has also translated into big business for Security Engineered Machinery (SEM), which for years has been destroying sensitive data for the federal government. The company is now shredding sensitive electronic records for organizations public and private throughout the United States.
"Our specialty has been selling the shredding equipment to federal agencies so they can dispose of confidential data," says SEM President Peter Dempsey. "In the private sector, they buy the equipment as a knee-jerk reaction when there's a breach. When a breach happens, a CEO will look at the situation and say, 'We need to go out and buy the equipment.'"
An older service, newly discovered
The US Department of Defense had been buying SEM's equipment for nearly 30 years. About seven years ago, however, the company started to accommodate certain customers who were only looking to dispose of three or four hard drives at a time.
"In a case like that you don't want to buy the equipment, you want to come to our plant instead," Dempsey says. And so a section of the SEM warehouse was refitted to meet the need. Three years ago, SEM was making US$13,000 a year just on the destruction of hard drives, DAT tapes and other magnetic media. This year the revenue projection is US$750,000.
"As breaches have occurred and the private sector has become more security aware, our growth has been tied to people finding us and seeing that we comply with federal standards," he says.
Indeed, all of SEM's technology has the US National Security Agency seal of approval and the company is fully insured. The destruction process is carefully monitored around the clock with an array of video cameras. Customers are allowed to stay and witness the destruction if they wish, or they can watch remotely from the Web.
Pros and cons
Most of the security experts contacted for this story described themselves as pro-shredding, including Doc Farmer, senior security specialist at InfoSec. Others are skittish about entrusting the process to outsiders.
"I'm definitely in the pro-shredding camp, and have set up policies, standards and procedures for same in past jobs," Farmer says. "Generally, I've not known a company to do this as a business. It's always been handled internally from my experience. But considering how many data breaches have occurred recently," it's probably something worth investing in, he says.
Typically, Farmer only shreds disks that were going out the door anyway, such as when old PCs were being scrapped or donated. "I'd set up simple batch files on a bootable diskette with a copy of BCWipe.exe on it, reboot the PC and nuke the hard drive at DoD levels, which was and remains sufficient for 99.9 percent of all situations," he says.
Benoit H. Dicaire, an information security strategist for consultancy INFRAX, is more skeptical.
"You need evidence of the destruction," he says. "It's easier to do it in-house. Just the thought of transporting the gears from the corporate site to the destruction site makes me shiver."