SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Almost half of storage devices for sale contain personal info, study finds
Tue, 30th Apr 2019
FYI, this story is more than a year old

If you're thinking of selling a device with any type of storage (for example your smartphone, tablet, PC, laptop, used hard drive, USB stick, or any other storage device), you may want to triple check that you've wiped all of your personal information off it before you send it away.

But it seems that many people around the globe don't even take that step, according to new research from Blancco Technology Group and Ontrack.  The two companies purchased 159 used storage devices from the United States, the United Kingdom, Germany, and Finland.

They found that 42% of those devices contained sensitive data, and 15% contained personally identifiable information, like email addresses, photos, passport scans, emails, university papers, and much more.

But although many sellers thought they had wiped their devices (a process called data sanitisation), Blancco says that their methods are clearly inadequate.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data," says Blancco VP of cloud and data erasure, Fredrik Forslund.

“By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members.

“It is also clear that there is confusion around the right methods of data erasure, as each seller was under the impression that data had been permanently removed. It's critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it's truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime."

Personally identifiable information found on the devices included:

  • A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial records
  • University student papers and associated email addresses
  •  5GB of archived internal office email from a major travel company
  • 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules and truck registrations
  • University student papers and associated email addresses
  • Company information from a music store, including 32,000 photos
  • School data, including photos and documents with pupils' names and grades.

As part part of the study, Blancco and Ontrack purchased at random a range of used hard drives from leading brands, including Samsung, Dell, Seagate, HP, and Hitachi. The only requirement was that the drives had not been wiped using Blancco products. Ontrack used proprietary data recovery tools to analyse the devices. Blancco then sanitised the devices to ensure permanent data removal.