Unsanitised e-waste poses a threat to data safety: PwC

Unsanitised e-waste can pose a threat to the cybersecurity of Australia’s critical infrastructure according to a recent PwC report.

The report, After Life: Critical Infrastructure and the e-waste data security threat noted that in an environment that tends to focus on present cyber threats, it is easy to tick, flick and forget end-of-life e-waste processes.

With the volume of global e-waste set to exceed 70 million tonnes a year by 2030, the report recommends that consideration should be given to amending guidance related to the Security of Critical Infrastructure Act 2018 (SOCI), or SOCI itself, to explicitly capture secure e-waste destruction.

Rob Di Pietro, cybersecurity and digital trust leader at PwC Australia said in the context of critical infrastructure where the security stakes are high, the looming spectre of e-waste data security vulnerabilities is an issue that deserves specific attention.

“The data stored on these devices and their components may contain sensitive information related to an organisation’s operations and intellectual property, as well as personally identifying information. If they end up in the hands of a malicious actor, the results could be catastrophic.”

An experiment conducted for the report, which focused on recovering data from two second-hand devices purchased for less than $50, shines a spotlight on poor sanitisation practices.

A tablet with corporate stickers still affixed to the device, which was particularly concerning, contained a note with credentials for access to a database holding up to 20 million sensitive personal records.

The authors of the report highlight the need for organisations captured by the Privacy Act 1988 to ensure their e-waste sanitisation processes are in order. New data breach penalties introduced last year could see these organisations fined at least $50 million for ‘serious or repeated privacy breaches’.

Di Pietro said, “There is no doubt that amid an increasingly complex regulatory and legislative cybersecurity backdrop, organisations are making big changes to the way they protect data during its lifecycle.

“But, as this report has explored, there are significant risks posed by unsanitised e-waste and, anecdotally, there is clear evidence poor sanitisation and destruction practices are widespread.”

He added, “Hence, there is an urgent need to, as a first step, ensure that Australia’s critical infrastructure entities are required to securely dispose of redundant devices.”