ICO reveals reality of undeleted data on second-hand devices

An investigation has revealed that one in ten second-hand hard drives may contain residual personal information.

The Information Commissioner's Office (ICO) survey about second-hand hard drives sold online also found that 65 per cent of British adults now hand on their old phones, computers and laptops to another user, with 44 per cent giving these away for free and around one in five (21 per cent) selling them.

Forensics firm NCC Group sourced around 200 hard drives, 20 memory sticks and ten mobile phones, and searched them using forensics tools freely available on the internet. In total, 34,000 files containing personal or corporate information were removed from the devices.

The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The research found that while 52 per cent of the hard drives investigated were unreadable or had been wiped of data, 48 per cent contained information, 11 per cent of which was personal data. The amount of personal data found on the mobile phones and memory sticks was described as "negligible".

Information commissioner Christopher Graham said: “It is important that people do everything they can to stop their details from falling into the wrong hands. Today's findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices.

“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However, this information can easily be recovered.”

Paul Vlissidis, technical director at NCC Group, said he hoped this research will be a wake-up call for the individuals and organisations who think their responsibility and liability ends with the delete button.

He said: “This isn't a case of scaremongering, or using sophisticated techniques only available to large organisations. We purposefully used simple, easily sourced forensics processes and tools to demonstrate that any information we accessed could also easily be stolen by people of criminal intent. It's sobering to think that nearly half of the used devices on the market contain personal information up for grabs.

"Ultimately, there's a huge amount of information being stored that is potentially damaging in the wrong hands. To protect both personal and corporate data, it's essential that people become better educated about securely wiping devices, which is what this research is intended to highlight.”

Ollie Hart, head of public sector UK & Ireland at Sophos, said: “This latest research once again underlines the need for better education around data protection. It's hard to believe that we're still seeing this kind of breach, particularly when you consider that four of the hard drives came from organisations rather than individuals and contained information about employees and clients, including health and financial details.

“It's disappointing to see yet another example of organisations either not caring, or not understanding their obligations. Ultimately, it is the responsibility of organisations to ensure that the data they are entrusted with is stored responsibly, whether that be centrally or locally. Everyone should ask themselves three simple questions: Where is my data? Do I have a policy for storing data locally? Have I considered the impact on both my customer and business of storing this data?”

Sign up to our newsletters