Over the years, we have written tiresomely about why it is so important to ensure your sensitive data doesn't get into the wrong hands. From ensuring that second-hand resellers are deleting your data as promised to tips on how to protect your data on your smart-phone, here at Ontrack we view the protection of all personal data as one of the most important issues today.
This is one of the reasons why we partnered with Blancco Technology Group – the industry standard in data erasure and mobile device diagnostics to investigate whether residual data is commonly left on used storage devices being sold online.
The drives
159 drives were purchased from eBay in the U.S, U.K, Germany, and Finland. The drives were a mixture of SSDs and HDDs from a range of leading brands, including Samsung, Dell, Seagate, HP, and Hitachi. The only requirement of the purchase was that the drives had not been wiped using Blancco products.
The process of recovering personal data
Through our industry-leading solutions and proprietary data recovery tools, all 159 drives were imaged and analyzed to confirm whether or not any residual data could be found. If any residual data was found, our Ontrack engineers went to work to recover it and identify whether the data included any personally identifiable information (PII) about the previous owner(s).
The outcome
Sensitive residual data was found to be present on 42% of the devices, with 15% containing PII. This meant that for every 20 drives we analyzed, at least three had PII residing on them!
Some of the PII included:
- A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial records
- University student papers and associated email addresses
- 5GB of archived internal office email from a major travel company
- 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules, and truck registrations
- University student papers and associated email addresses
- Company information from a music store, including 32,000 photos
- School data, including photos and documents with pupils' names and grades
One of the major concerns is that each of the second-hand sellers that the drives were purchased from stated that proper data sanitization methods had been performed – guaranteeing that no data would be left behind.
This highlights a major concern that while sellers clearly recognize the importance of removing data, they are in fact, using methods that are clearly inadequate.
Learnings
So, what can we learn from this study? Selling old devices, whether they are hard drives, mobile phones or laptops may seem like a good option, but in reality, there is a real risk of exposing your personal data to people you really don’t want to. If personal data gets into the wrong hands, there can be serious repercussions not just to the seller, but potentially their family, employer, and friends. The last few years have seen a worryingly high rise of cybercrime, so ensuring your personal data is kept safe is more vital than ever.
The study also highlights that there is clear confusion around the right methods of data erasure. Each seller clearly stated that the data has been permanently erased, this was obviously not the case. With so many data recovery options now available to buy online, there is a real risk that cybercriminals could have the ability to recover your personal data if you do not follow correct erasure procedures.