Four in ten used hard drives on eBay contain sensitive data

News by Rene Millman

New research finds people at risk from becoming cybercrime victims through used hard drives.

Sensitive data is being left of around 42 per cent of used hard drives sold on eBay, according to a new report.

The research, carried out by Ontrack for a Blancco Technology Group report, looked at drives purchased from eBay in the US, UK, Germany and Finland. In addition to sensitive data, the research unearthed personally identifiable information (PII) on 15 per cent of the investigated drives.

For every 20 drives, at least three had PII. Furthermore, each seller Blancco interacted with as part of the process stated that the proper data sanitisation methods had been performed so that no data was left behind. This highlights a major concern that while sellers clearly recognize the importance of removing data, they are in fact, using methods which are inadequate, the report’s authors said.

Among the data found was a drive from a software developer "with a high level of government security clearance", with scanned images of family passports and birth certificates, CVs and financial records; university student papers and associated email addresses; and 5GB of archived internal office email from a major travel company.

Other drives were found to have 3GB of data from a freight company including documents that detailed shipping schedules and truck registrations, and school data that was comprised of photos and documents with pupil names and grades.

"Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data," said Fredrik Forslund, VP, cloud and data erasure, Blancco.

"By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members. It is also clear that there is confusion around the right methods of data erasure, as each seller was under the impression that data had been permanently removed. It's critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime."

Tim Mackey, senior technical evangelist at Synopsys, told SC Media UK that the best practice up until now o preclude data leakage when repurposing computers included wiping the drive using forensic tools potentially using high powered magnets.

"In the intervening decade since these reports, the usage of solid-state drive (SSD) technology for hard drives has boomed. Since SSDs don’t store data in magnetic form, and rewriting blocks of data can shorten the lifespan of some SSDs, new processes to protect data prior to disposal are required. If the drive in question supports the ATA SECURE_ERASE command, then that can be used to perform an effective factory reset on the drive," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop