Old Tech Spills Digital Dirt on Past Owners

old hard drives hold PII data

Researcher buys old computers, flash drives, phones and hard drives and finds only two properly wiped devices out of 85 examined.

In a test of how well businesses wipe data on old devices, Rapid7 researcher Josh Frantz purchased 85 old gadgets from businesses. In total, he paid $600 for an aging collection of old computers, flash drives, phones and hard drives. What he discovered was that despite decades of the infosec community urging consumers and businesses to properly wipe digital gear ahead of disposal, hardly anybody does.

Frantz pulled data off of 80 devices he purchased from a mix of thrift stores and resale shops. Only two devices were wiped properly, and three devices were encrypted, he said in a post describing his experiment Tuesday. His haul included 214,019 images, 3,406 documents and 148,903 email messages.

“The best (or worst) part about this is that I extracted a lot of personally identifiable information,” he wrote.

After scraping and pooling the data, Frantz used a number of custom scripts that automated his forensic analysis. He used pyocr to try to identify Social Security numbers, dates of birth, credit-card numbers, and phone numbers on images and PDFs. “I then used PowerShell to go through all documents, emails and text files for the same information,” he said.

He ended up collecting 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit-card numbers, six driver’s license numbers and two passport numbers. “Surprisingly, most of the credit-card numbers were from scans or images of the front and/or back of the card,” he said. “The two passport numbers were also scanned into the computer.”

Bottom Falls Out on Black Market Pricing

One of the more interesting aspects of Frantz’s research was estimating the black-market value of the data he salvaged. In all he spent $600 on devices and $50 on three proprietary cellphone chargers.

He said that if he had taken the recovered data and sold it on the Dark Web, he wouldn’t have broken even.

“I realized just how cheap it is to buy people’s information on the Darknet,” he wrote. “Social Security numbers only fetch around $1 apiece, while full documents (dox) fetch around $3 each. No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600.”

He continued, “This raises a fascinating point: Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each.”

Are We Collectively Getting Better at Disposal?

Frantz’s findings echoed the results of a study conducted 16 years ago in 2003 (PDF) at the Massachusetts Institute of Technology. That’s when two graduate students bought 158 hard drives on EBay and from online shops. Of 129 drives that worked, 69 had recoverable files and 49 contained personal information, including 3,700 credit card numbers and medical data. Only 12 of the usable drives had been properly wiped, according to the report.

“When donating or selling your technology, you should be sure to wipe it yourself rather than relying on the seller to do it for you,” reminds Frantz. “There are several great guides available for wiping your computers, phones, and tablets, so we won’t dive too deep into that topic here.”

That sounds eerily familiar to advice given 16 years ago: “Users must be educated about the proper techniques for sanitizing disk drives. Organizations must adopt policies for properly sanitizing drives on computer systems and storage media that are sold, destroyed, or repurposed,” according to the 2003 Data Forensics report.

If military-grade wiping just won’t cut it, Frantz recommends the following for permanently destroying data.

“If you are planning on recycling your technology, the following are some ways to make sure your data is irretrievable by destroying the device (or storage disk) irrevocably,” he said. His suggestions are below.

  • Hammer
  • Incineration (be careful of toxic by-products)
  • Industrial shredding
  • Drill/drill press
  • Acid
  • Electrolysis
  • Microwaves
  • Thermite

Suggested articles

Discussion

  • John W on

    *Almost* amusing to see things just don't change. I was in the secondary technology market many, many years ago and we found unimaginable sensitive information on both personal and business systems. I have to assume organizations are doing a much better job at wiping today. If they are leased, the leasing companies will require a certified wipe. In the list of methods to prevent later access, I'd take everything off but the drill and add a nail gun. The ROI on the other stuff - for any kind of volume - is really not there; not to mention the real possibility of hurting one's self. We've seen data recoveries from hammered drives, and have seen people get hurt with a couple of the others. Individuals simply aren't thinking about this, and won't, though they of course should. Manufacturers and retailers need to provide reminders at the time of purchase to at least plant the seed. Great to see this brought up!
  • John D on

    For regular computer hard drives DBAN (Darik's Boot and Nuke) should be sufficient so no data is recoverable, correct?

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.