A U.K. organization today released independent study results that show one in 10 secondhand hard drives sold online may contain “residential personal information,” such as bank statements, passports and medical details.
In an effort to underscore the need to throughly scrub machines, mobile phones and memory sticks before passing them on, the Information Commissioner’s Office contracted with the NCC Group to secret shop some 200 hard drives, 20 memory sticks and 10 mobile phones from primarily online auction sites in December 2010. Some also came from computer trade shows.
The data retrieved from the mobile phones and memory sticks “was negligible.” However, the same could not be said for information retrieved from secondhand computers.
Using widely available freeware forensic tools, a team found more than half (52 percent) of the hard drives were unreadable or had been wiped of data. The remaining 48 percent still contained information, 11 percent of which held personal or corporate data.
In all, 34,000 files holding personal or corporate information were recovered, according to the study report.
“NCC was pleasantly surprised to find that in the case of bulk purchases, most vendors had taken steps to securely erase the data,” the report said. “However, there were concerns about the amount of data found on many of the individually purchased drives. Although some action had been taken in a number of cases (such as deleting drive partitions), this was not enough to ensure that the personal data was unrecoverable.”
In at least six instances, drives holding personal data originated from desktops. Four companies whose employee and client information was at risk were notified, and all say they are undertaking actions to prevent future data leakage.
“Today’s findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices,” Information Commissioner Christopher Graham said in a prepared statement.
“Many people will presume that pressing the delete button on a computer file means that it is gone forever,” he continued. “However this information can easily be recovered.”
Added Paul Vlissidis, technical director at NCC Group, in a published report: “This isn’t a case of scaremongering, or using sophisticated techniques only available to large organizations. We purposefully used simple, easily sourced forensics processes and tools, to demonstrate that any information we accessed could also easily be stolen by people of criminal intent. It’s sobering to think that nearly half of the used devices on the market contain personal information up for grabs.”
Another ICO survey on attitudes, done in conjunction with the NCC study, found that one in ten people fail to delete information on a mobile phone, computer or laptop before handing it over to someone else. According to the report, a majority of people interviewed (65 percent) now sell or donate on their old phones, computers and laptops, particularly if they are under 25 years old.
An ICO Web page outlines different ways for companies and consumers to wipe their drives clean before they donate or dispose of computers, mobile phones or portable storage devices. They include physical destruction, secure software deletion, factory setting restoration, outsourcing and reformatting.