KEY POINTS:
- The are concerns e-waste is not properly wiped before disposal, increasing the risk of data theft.
- Consulting firm PwC discovered personal information on two second-hand devices bought from a retailer in the ACT.
- Consumers should also make sure their devices are disposed of correctly, one expert says.
Australians' data and critical infrastructure are under threat from careless e-waste disposal, experts say.
Thousands of tonnes of old phones and other devices from Australian workplaces are disposed of every year, with some ending up shipped overseas, recycled or re-sold, consulting firm PwC said.
However, much of the e-waste is not properly "sanitised", leaving behind plenty of information criminals could make a fortune from selling on the dark web.
Why these cheap devices could have been worth far more in the wrong hands
Two devices - a tablet and mobile phone - were bought for less than $50 from a popular second-hand retailer in the ACT for the purpose of a PwC Australia report.
The tablet still had corporate stickers attached and contained a note with credentials to access a database holding up to 20 million sensitive personal records, the firm found.
More than 60 pieces of personally identifying information were also recovered from the phone using basic analysis.
The information included personal documents and photographs, with both devices potentially worth a significant sum on the black market, the firm said.
PwC pushed for the Security of Critical Infrastructure Act 2018 or its guidance to be amended to explicitly require organisations to securely dispose of e-waste.
Organisations also faced under new penalties introduced last year.
"The data stored on these devices and their components may contain sensitive information related to an organisation's operations and intellectual property, as well as personally identifying information," PwC cybersecurity and digital trust leader Rob Di Pietro said.
"If they end up in the hands of a malicious actor, the results could be catastrophic."
There was an urgent need to ensure Australia's critical infrastructure entities - including those in health care, transport, energy, and defence - were required to securely dispose of e-waste, Mr Di Pietro said.
Palo Alto Networks' regional chief security officer Sean Duca shared PwC's concerns, saying unsanitised e-waste posed a huge threat to organisations.
"There could be some clues, some breadcrumbs, that potentially could give something away to an attacker that allows them an easier entrance into the organisation," Mr Duca told the AAP news agency.
"Sure, they may have to do some work, they may have to comb through the garbage bin so to speak ... (but) in the end, they've got all the time and inclination to actually try and find something."
Australia continues to be the number one target of in the Asia Pacific region, a report by Palo Alto Networks found.
Attacks on school systems by groups such as Vice Society showed cyber criminals were willing to stoop low for a payday, the report found.
Data theft was the most common extortion tactic deployed by ransomware groups and the median ransom payment was $US350,000 ($521,000) in 2022 - lower than the median demand of $US650,000.
What should consumers do?
Like government departments and businesses, consumers should make sure their devices are disposed of correctly, said William Yeoh, an associate professor at Deakin University's Department of Information Systems and Business Analytics and innovation lead at the tertiary institution's Centre for Cyber Resilience and Trust.
He said by not doing so, there was a risk an individual's personal information could be retrieved if it had been stored on the device, which could still be possible even if the device had been reset.
"People can buy hard drive recovery software, and it's very cheap," he said. "So deleting your software or clearing the recycling bin on your laptop or PC isn't enough," Associate Professor Yeoh said.
The only way to ensure data is wiped from a device is to physically destroy the hard drive, he said.
"Smash the hard drive with a hammer or screw a nail in it," he said.
When disposing of a personal computer for example, he recommended removing the hard drive, destroying it, and then including it in proper e-waste disposal along with the rest of the components.
Associate Professor Yeoh said he would avoid disposing of a device in its entirety in an e-waste recycling program unless it stated that data would be securely destroyed.
He added that many businesses have dedicated bins where employees can drop documents to be securely destroyed, and a similar system for electronic devices should be widespread.
Global e-waste is expected to exceed 70 million tonnes by 2030.
