When data saved in cloud storage is deleted, the hard drive need to be scrubbed to totally annihilate the data, or someone else may access it later. Digital Ocean had a policy of not scrubbing hard drives until quite recently when a developer exposed this flaw in the cloud service’s data management.
The issue was cited by Jeffrey Paul in a Github post. According to him, when users deleted their data from Digital Ocean’s hard drive, the company didn’t ‘scrub’ the data, posing significant risks to the security of user’s data. Thankfully, this problem was limited to only those who make use of Digital Ocean API.
Paul posted about the issue nearly a week ago. Digital Ocean responded within no time, admitting that the vulnerability cited by Paul was valid and that the company will change its policy towards scrubbing deleted user data. Apparently, Digital Ocean initially scrubbed all hard drives after a virtual machine was destroyed. But as the company’s user base grew rapidly, it stopped the by-default scrubbing for API users and instead, introduced a manual option.
Now, Digital Ocean CEO Moisey Uretsky has stated that despite the fact that scrubbing incurs significant costs, his company will still enable data scrubbing for API users. Since the very reputation of cloud storage services hinges upon the security of user data, Uretsky went on to assure the customers that ‘We are being fully transparent and, based on customer feedback, are implementing changes rapidly….we firmly believe that being open, honest and responsive to customers is the best way to rebuild trust.”