Internet of things Security

COLUMN: The citizenship of a Japanese city, a USB stick and a lesson on the new power of our objects

COLUMN: The citizenship of a Japanese city, a USB stick and a lesson on the new power of our objects
Written by ga_dahmani
COLUMN: The citizenship of a Japanese city, a USB stick and a lesson on the new power of our objects

usb drive

USB drive image by Brina Blum on unsplash.com

Last week we saw an unexpected headline in the world of cybersecurity. He is one some of us weren’t expecting in a year marked by high-profile software vulnerabilities: a single missing USB drive that contained information about the citizens of a city of nearly half a million people, Amagasaki, Japan. All of them, according to reports.

These are some of the facts of history, first published by NHK World in Japan, a public broadcaster similar to PBS or BBC: “One of the company employees lost the USB on Tuesday. He had data on the names, addresses and dates of birth of all the city’s residents, as well as the amount of local taxes they had paid and information on social benefits. The company explained that the employee had drinks after work and then fell asleep on the street, but when he woke up he realized that he had lost the bag that contained the USB, ”the station reported.

The man later found the USB drive after contacting police. It is unclear if anyone had accessed the drive. To be clear: The incident was reported to have the potential for data loss, a requirement of many employees who handle sensitive data.

USB drives haven’t been in the news for security incidents like this recently, because in many ways, their use has become obsolete. In particular, due to the risky nature of transferring malware via USB sticks and the easier, more cost-effective, and more controllable environments offered by cloud providers, many organizations (public and private) have banned their use altogether.

For example, IBM staff were recently informed that they are no longer allowed to use removable memory devices, such as USB sticks, SD cards, and flash drives. According to media reports, the potential for “financial and reputational” damage if devices are lost or misused by staff prompted the decision. IBM employees who need to move data are now reportedly encouraged to do so over an internal network. The decree that prohibits removable storage acknowledges that complying with it could be “disruptive”.

But that doesn’t mean that employees with wide access to personal information like this don’t have that information stored on other devices that can also be lost or stolen. A compromised cyber thief can access tablets, phones, watches, anything that transmits valuable intellectual property of any kind.

Companies can certainly contribute to their security posture by prohibiting or significantly controlling the USB drives allowed on their networks. But the prospective lesson from the Japanese incident is that hardened cloud and software defenses can leave some unchecked or overlooked vulnerabilities in hardware, especially in this age of the Internet of Things. Strong asset controls and data risk classification can help mitigate these issues.

Data protection on discarded hardware and data-bearing devices (USB drives, included) is too often overlooked.

For environmental, regulatory, and sustainability reasons, these devices must be recycled responsibly. When that happens, part of the process should always include complete physical destruction of the data. Guaranteed data destruction is key. Some companies believe that their data is erased when they drop off devices for recycling, and this is not always the case.

Furthermore, the unethical and illegal shipping of e-waste abroad is an added layer to the hardware security problem because it leads to the total liquidation of our national security and the privacy of corporations and individuals in the United States. Recycling these devices is important, but it must be done the right way. Make sure your e-waste recycler is NAID certificate, for starters.


kate fazzini is Director of Safety and Engineering Operations at Ziff Davis; adjunct professor of cybersecurity at Georgetown University; author of Kingdom of Lies: Puzzling Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.

John Shegerian is co-founder and President/CEO of ERI, the nation’s leading fully integrated IT and electronic asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/the-insecurity-of-every-book/ to receive a free copy of John’s new book, The insecurity of it all.

About the author

ga_dahmani

Leave a Comment