E-waste data security deserves specific attention, data on discarded devices could be catastrophic

A new report from PwC Australia highlights the significant threat unsanitised e-waste poses to the cyber security of Australia’s critical infrastructure and personal data.

The report, After Life: Critical Infrastructure and the e-waste data security threat, explores this often overlooked cyber security threat and its potentially serious ramifications. With the volume of global e-waste set to exceed 70 million tonnes a year by 2030, the report recommends that consideration should be given to amending guidance related to the Security of Critical Infrastructure Act 2018 (SOCI), or SOCI itself, to explicitly capture secure e-waste destruction.

An experiment conducted for the report, which focused on recovering data from two second-hand devices purchased for less than $50, shines a spotlight on poor sanitisation practices. A tablet with corporate stickers still affixed to the device, which was particularly concerning, contained a note with credentials for access to a database holding up to 20 million sensitive personal records.

The report notes that in an environment that tends to focus on present cyber threats, it is easy to tick, flick and forget end-of-life e-waste processes.

PwC Australia’s Cybersecurity & Digital Trust Leader Rob Di Pietro said in the context of critical infrastructure where the security stakes are high, the looming spectre of e-waste data security vulnerabilities is an issue that deserves specific attention.

“The data stored on these devices and their components may contain sensitive information related to an organisation’s operations and intellectual property, as well as personally identifying information. If they end up in the hands of a malicious actor, the results could be catastrophic.”

More broadly, the report highlights the need for organisations captured by the Privacy Act 1988 (Cth) to ensure their e-waste sanitisation processes are in order. New data breach penalties introduced last year could see these organisations fined at least $50 million for ‘serious or repeated privacy breaches’.

“There is no doubt that amid an increasingly complex regulatory and legislative cyber security backdrop, organisations are making big changes to the way they protect data during its lifecycle,” Mr Di Pietro said.

“But, as this report has explored, there are significant risks posed by unsanitised e-waste and, anecdotally, there is clear evidence poor sanitisation and destruction practices are widespread.

“Hence, there is an urgent need to, as a first step, ensure that Australia’s critical infrastructure entities are required to securely dispose of redundant devices.”

To view the After Life: Critical Infrastructure and the e-waste data security threat report, click here.