In a test of how well businesses wipe data on old devices, Rapid7 researcher Josh Frantz purchased 85 old gadgets from businesses. In total, he paid $600 for an aging collection of old computers, flash drives, phones and hard drives. What he discovered was that despite decades of the infosec community urging consumers and businesses to properly wipe digital gear ahead of disposal, hardly anybody does.
Frantz pulled data off of 80 devices he purchased from a mix of thrift stores and resale shops. Only two devices were wiped properly, and three devices were encrypted, he said in a post describing his experiment Tuesday. His haul included 214,019 images, 3,406 documents and 148,903 email messages.
“The best (or worst) part about this is that I extracted a lot of personally identifiable information,” he wrote.
After scraping and pooling the data, Frantz used a number of custom scripts that automated his forensic analysis. He used pyocr to try to identify Social Security numbers, dates of birth, credit-card numbers, and phone numbers on images and PDFs. “I then used PowerShell to go through all documents, emails and text files for the same information,” he said.
He ended up collecting 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit-card numbers, six driver’s license numbers and two passport numbers. “Surprisingly, most of the credit-card numbers were from scans or images of the front and/or back of the card,” he said. “The two passport numbers were also scanned into the computer.”
Bottom Falls Out on Black Market Pricing
One of the more interesting aspects of Frantz’s research was estimating the black-market value of the data he salvaged. In all he spent $600 on devices and $50 on three proprietary cellphone chargers.
He said that if he had taken the recovered data and sold it on the Dark Web, he wouldn’t have broken even.
“I realized just how cheap it is to buy people’s information on the Darknet,” he wrote. “Social Security numbers only fetch around $1 apiece, while full documents (dox) fetch around $3 each. No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600.”
He continued, “This raises a fascinating point: Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each.”
Are We Collectively Getting Better at Disposal?
Frantz’s findings echoed the results of a study conducted 16 years ago in 2003 (PDF) at the Massachusetts Institute of Technology. That’s when two graduate students bought 158 hard drives on EBay and from online shops. Of 129 drives that worked, 69 had recoverable files and 49 contained personal information, including 3,700 credit card numbers and medical data. Only 12 of the usable drives had been properly wiped, according to the report.
“When donating or selling your technology, you should be sure to wipe it yourself rather than relying on the seller to do it for you,” reminds Frantz. “There are several great guides available for wiping your computers, phones, and tablets, so we won’t dive too deep into that topic here.”
That sounds eerily familiar to advice given 16 years ago: “Users must be educated about the proper techniques for sanitizing disk drives. Organizations must adopt policies for properly sanitizing drives on computer systems and storage media that are sold, destroyed, or repurposed,” according to the 2003 Data Forensics report.
If military-grade wiping just won’t cut it, Frantz recommends the following for permanently destroying data.
“If you are planning on recycling your technology, the following are some ways to make sure your data is irretrievable by destroying the device (or storage disk) irrevocably,” he said. His suggestions are below.
- Incineration (be careful of toxic by-products)
- Industrial shredding
- Drill/drill press