One in ten secondhand hard drives contains residual personal data of its previous owner, revealed an investigation commissioned by the UK Information Commissioner’s Office and executed by IT assurance company NCC Group.
The company bought 200 hard drives, 20 USB memory sticks and 10 mobile phones through Internet auction sites and at various trade fairs, and analyzed its contents first by taking a simple look and then by employing forensic tools that anyone can download from the Internet.
And while the results of the analysis of the memory sticks and mobile phones revealed that most of the data has been securely wiped before the sale, the analyzed hard drives were teeming with data.
It’s interesting to note that only 38 percent of the tested drives had been actually wiped, and 14 percent to damaged to be readable.
Unfortunately, 11 percent of them contained personal information, and 37 percent carried non-personal information.
All in all, some 34,000 files containing personal or corporate information was retrieved from the discs, and that included files with employee information, bank details, tax information, job applications, family photos, scans of sensitive documents such as passports and bank statements, and more.
“Today’s findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices,” Information Commissioner Christopher Graham commented on the results.
“This isn’t a case of scaremongering, or using sophisticated techniques only available to large organizations,” said Paul Vlissidis, technical director at NCC Group. “We purposefully used simple, easily sourced forensics processes and tools, to demonstrate that any information we accessed could also easily be stolen by people of criminal intent. It’s sobering to think that nearly half of the used devices on the market contain personal information up for grabs.”
“Ultimately, there’s a huge amount of information being stored that is potentially damaging in the wrong hands. To protect both personal and corporate data, it’s essential that people become better educated about securely wiping devices, which is what this research is intended to highlight.”