I bought an old Apple Xserve on ebay. The seller was a used computer reseller, not the original owner of the server/data. The server's hard drives were wiped and had no OS on them, but they did have one odd named folder.

Turns out that folder contains all of the financial and HR data for a large 100-200 person company. It has EVERYTHING you could ever hope to NOT leak. Social security numbers, names, addresses, numbers, salaries, emergency contact info, even personnel photos. It even had the W-9's from their independent contractors. This hurt as I am an independent contractor and I've given my W-9s to many companies. Who knows how well those companies protect my data. (W-9's often have social security numbers on them)

All of the files had dates from 2012 and older. I bought the server/drive in early 2018. So for 6 years, who knows where this data was. But 2012 is when it came out of service. Also the Server was a 2009 Xserve but the drive carrier was from a G5 (2005) Xserve. Which means its fairly likely that this drive did not come with this server. Whether this switch was done at the company, or whether the reseller just grabbed boxes of drives and stuck them in whatever computers needed them, who knows.

I replaced the drives with new ones, which I was going to do anyway, and now the server is off in service for me. But the original drives are sitting on my desk. I still don't know what to do with them. I tried contacting the company twice but I never heard back.

If I do hear back, I suspect what they will do is either tell me to destroy them, or have me send them back to them and then they will destroy them... and do nothing else. What they SHOULD be doing is firing their 2012 IT department if any of them still work there, and notify all pre-2013 employees that their data has been breached.

I am certainly not trying to hold these drives hostage. That said, being completely honest, if they offered me a "reward" for returning it, I certainly would accept. But they won't even acknowledge this situation. I'm getting sick of looking at these drives on my desk. I was thinking of contacting them on facebook, since that's all the rage these days when it comes to getting a response from a company.

If there are security experts here, I'd love to hear what you think about this situation.

Also, just as a hypothetical, I am NOT going to do this. But I'm curious. Since I bought the drive, and since they aren't getting back to me, could I legally throw the drive back on ebay, and say the previous owner never erased it and it's filled with ~150GB of personal/professional data? And let sketchy people bid it up to some crazy amount of money. Again, I AM NOT GOING TO DO THIS, I'm just wondering if I could.

I'm not going to name the company publicly. But they are ironically, a "Branding" company that works with other very large companies. How funny is that :P

  • The drive could be (from) a stolen device. There are many possibilities how this could have happened. And regarding their communication, I think it's not what you say, it's the way that you say it. Maybe check their linkedin to contact a high-ranking person inside the company. – Martin Fürholz Nov 24 '18 at 12:00

To answer your question: what should I do?

There are two ways to handle this:

1st way:

  1. Destroy the drives securely.
  2. Forget about it.

2nd way:

  1. Contact the general hotline during business hours and ask for the CISO (Chief Information Security Officer) or a proxy. If they are not available ask for the compliance department or in this case probably a person in charge of compliance. If you are still out of luck ask for the legal department.

  2. Explain the situation to them. Tell them that you want to cooperate and that you do not have any copies of the drives. Make an appointment to hand the drives over to them.

  3. Hope for the best.

The 2nd way can have some unwanted ramifications for you. A lot of companies like to shift blame for security fails to those who make them visible. If the drives were stolen you could - depending on the legal situation of your state - become part of an official law enforcement investigation. Handling and accessing stolen goods is illegal in some places as well, so speaking to a lawyer first might be a good idea as well. If the drives were disposed in a disorderly fashion, it will reflect even worse on the company in question. It is somewhat likely that they will lash out at you. You should prepare for that, if you go for the 2nd way.

But: if I were the CISO in this company I would hope that you would go for the 2nd way nevertheless and the overwhelming majority of people I know that work in infosec would want you to do the same. Because only then shortcomings like wrong disposal of devices are visible to the information security management and only then the controls that are in place can be reviewed and remedied.

Tom K.
  • The impression I get is that they don't have a CISO, or a compliance department, or anything like that. It's a creative company. They probably have some in-house IT for internal computer setup but that's probably about it. – l008com Nov 26 '18 at 09:13
  • 1
    Then, if you want to go that route, bring it up to the CIO or the CEO. – Tom K. Nov 26 '18 at 13:03

From a selfish point of you, you could just ignore it and, if you bother to go through the trouble, destroy it before trashing it.

From a morally-correct point of you, you should immediately hand those drives over to the Police and make a report to the police, and all the relevant authorities (yup, all of them). This has twofold benefits. Firsly, since you already KNOW about the content, you don't want to put yourself in any position to be blamed. Secondly, by notifying all authorities that might have jurisdiction, you create a fuss about such matter. The Law says, and I support that, that companies should act in certain ways with the data they collect. They broke those Law and also broke the trust placed in them by the customers and they must be held liable. This will act both as a detterent against future malpracticeby other companies and also as a punishment for the company that didn't think the data was important enough.

Privacy law are becoming increasingly stricter with time, with the EU taking the win here (GDPR), but the US is on the same path too.

I am going to provide an example, not totally relevant though. After having problems with my internet connection for weeks and trying to resolve it through technical support, by doing resets (really? when does that help?) and bringing technicians over, the ISP tried a last "hail-Mary" and they did a factory reset to my router without informing or consulting me first. I consider that a breach of privacy and contract law since the default password can be easily generated by anyone and gain access to the network. By that access, they can just steal internet that I pay for, conduct illegal activity on my name and then I would be under investigation, and sniff/analyze sensitive data going through my network (somewhat mitigated with TLS, but still). In the end, after a complaint to the Telecommunications Privacy Assurance Authority and a 3-year investigation, they fined them 20000EUR for that single incident. Now they can learn to be more respectful.

By now you probably dealt with the issue, but, for any feature readers, such cases present a moral duty to report, albeit not a legal one.

