Study Finds One in 10 Hand-Me-Down Hard Drives Still Hold Personal Data

A U.K. organization today released independent study results that show one in 10 secondhand hard drives sold online may contain “residential personal information,” such as bank statements, passports and medical details.

A U.K. organization today released independent study results that show one in 10 secondhand hard drives sold online may contain “residential personal information,” such as bank statements, passports and medical details.

In an effort to underscore the need to throughly scrub machines, mobile phones and memory sticks before passing them on, the Information Commissioner’s Office contracted with the NCC Group to secret shop some 200 hard drives, 20 memory sticks and 10 mobile phones from primarily online auction sites in December 2010. Some also came from computer trade shows.

The data retrieved from the mobile phones and memory sticks “was negligible.” However, the same could not be said for information retrieved from secondhand computers.

Using widely available freeware forensic tools, a team found more than half (52 percent) of the hard drives were unreadable or had been wiped of data. The remaining 48 percent still contained information, 11 percent of which held personal or corporate data.

In all, 34,000 files holding personal or corporate information were recovered, according to the study report.

“NCC was pleasantly surprised to find that in the case of bulk purchases, most vendors had taken steps to securely erase the data,” the report said. “However, there were concerns about the amount of data found on many of the individually purchased drives. Although some action had been taken in a number of cases (such as deleting drive partitions), this was not enough to ensure that the personal data was unrecoverable.”

In at least six instances, drives holding personal data originated from desktops. Four companies whose employee and client information was at risk were notified, and all say they are undertaking actions to prevent future data leakage.

“Today’s findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices,” Information Commissioner Christopher Graham said in a prepared statement.

“Many people will presume that pressing the delete button on a computer file means that it is gone forever,” he continued. “However this information can easily be recovered.”

Added Paul Vlissidis, technical director at NCC Group, in a published report: “This isn’t a case of scaremongering, or using sophisticated techniques only available to large organizations. We purposefully used simple, easily sourced forensics processes and tools, to demonstrate that any information we accessed could also easily be stolen by people of criminal intent. It’s sobering to think that nearly half of the used devices on the market contain personal information up for grabs.”

Another ICO survey on attitudes, done in conjunction with the NCC study, found that one in ten people fail to delete information on a mobile phone, computer or laptop before handing it over to someone else. According to the report, a majority of people interviewed (65 percent) now sell or donate on their old phones, computers and laptops, particularly if they are under 25 years old.

An ICO Web page outlines different ways for companies and consumers to wipe their drives clean before they donate or dispose of computers, mobile phones or portable storage devices. They include physical destruction, secure software deletion, factory setting restoration, outsourcing and reformatting.


Suggested articles


  • Anonymous on

    I once worked for a company where part of my job was to ensure hard drives were erased before sending the leased machines back. With the proper software (such as Killdisk, that's what we used but I'm sure there' more) it's pretty easy, though slow, work. It should be the first thing on people's minds when they sell their devices with hard drives inside. I

  • Mark Perry on

    People are getting careless with their data, I'm sure anybody who accidentally deleted documents, photos, emails or any other type of data have sourced information online on how to recover these files. A few hours later and they normally recover what was lost by accident, it's simple actions like this shows how easy it is to recover the information. Recovery program's are getting advanced, people need to realise that for a small fee, criminals can purchase this software, purchase your old drives and pull various information off quite easy. Formatting, deleting the partition and f-disk do not destroy the data! The last donated hard drive I recieved I ran a quick recovery on, within 30 minutes I had recovered the persons CV, work payroll and even their home alarm code! After informing them of what I quickly recovered it was securely erased.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.