KEY POINTS:
When Whangarei man Chris Ogle walked out of an Oklahoma second-hand shop clutching an MP3 player last year he had no idea his $18 purchase would spark global headlines and a Pentagon investigation.
But that's what he got this week after revealing the device he bought in the United States contained what appeared to be confidential military files.
One News screened semi-pixelated images of some of the 60 files Ogle found on the player, which contained personal details of US soldiers based in Afghanistan and Iraq.
Along with cellphone and social security numbers of military personnel, the files appeared to outline mission details and equipment deployment information from 2005.
As the story spread around world, CNN reported the Pentagon was investigating the authenticity of the files.
Ogle's find is the latest example of what the IT industry calls "data leakage" - the unintended spread of sensitive information beyond the confines of the organisations where it originated.
Data leakage is a corporate security hazard that has become rampant with the growing popularity of USB thumb drives, MP3 players and other storage devices.
They are not the only way data escapes from organisations - mis-addressed emails are another common route - but the convenience of portable storage devices as a means of transporting data between computers means that a massive amount of sensitive information is now perpetually in insecure transit.
Data security company Credant Technologies surveyed 500 British drycleaners and concluded that last year 9000 USB devices were left in the pockets of items customers dropped off.
"Although we conducted this survey in the UK, the idea was to show people everywhere how easy it is to lose data, even in their local dry cleaners and that none of us are infallible," said Credant chief marketing officer Michael Callahan.
"If the data is sensitive or valuable then people should protect this information with encryption so no one can access the data at any point - as it could easily end up in the wrong hands."
Credant said workers needed to be vigilant, especially given that mobile devices have the capacity to store as many as 10,000 text documents, 11,000 pictures, 500,000 contact details or more than a million emails, and thereby "making them an obvious target for identity theft criminals and hackers who can steal this information and assume the identity of the user."
How can businesses limit the risk of data leaking?
The organisation responsible for the information Ogle stumbled upon, the US Defence Department, last year banned the use of portable storage devices on its networks, although the move was prompted by concerns about the spread of computer viruses.
Some businesses enforce thumb drive bans by supergluing over the connecting USB sockets on their staff's PCs and laptops.
Not all data leakage is accidental. Sensitive information can be copied or removed by disgruntled staff looking to steal intellectual property, or by a business's competitor who manages to gain access to its IT systems.
Jeremy Hulse, Asia-Pacific managing director of IT security company Marshal8e6 said organisations needed security policies which set out who could access data and what they were permitted to do with it.
In a survey conducted by the Employers and Manufacturers Association last year, 68 per cent of the New Zealand small and medium-sized businesses questioned said they viewed mobile technologies as a key security concern for their business.
Increasing anxiety over data leakage was linked to the arrival in the workplace of the so-called "millennial" generation - those born after 1980.
"Millennial workers can be among the highest performing in the workplace; however, the Web 2.0 applications they access at work and personal devices they store business data on can blur the lines between their personal life and work, potentially resulting in an increased risk of data leakage," David Dzienciol, a senior director with security company Symantec, said at the time.
"These new technologies present tremendous opportunities for productivity and greater engagement so business managers need to develop a plan that allows employees to explore, communicate and collaborate with these new technologies while also enabling confidence in the online world."
DATA LEAKS
Cases of gadget buyers getting more than they had expected:
August 2008 - An Asian iPhone assembly-line worker becomes an instant internet celebrity after smiling photos of her at work are posted online by the surprised UK buyer of one of the devises, which shipped with the images attached. The incident is embarrassing to iPhone maker Apple, which is notoriously secretive about its manufacturing processes.
September 2008 - The UK buyer of a camera sold on auction site eBay found it contained images taken by the MI6 security agency, including photos of terror suspects and pictures of rocket launchers and missiles.
Jan 2009 - Chris Ogle of Whangarei reveals he found sensitive US army documents on a second-hand MP3 player bought in Oklahoma. He also complains that the $18 device didn't even work as a music player.
