42% of used drives sold online are holding sensitive data

Over the years, we have written about why it is important to ensure your sensitive data doesn't get into the wrong hands. From ensuring that second-hand resellers are deleting your data as promised to tips on how to protect your data on your smart-phone, here at Ontrack we view the protection of all personal data as one of the most important issues today.

Partnering with Blancco Technology Group, we went to work to see what residual data we could find on used online storage devices.

The drives

The 159 drives purchased were from eBay in the U.S, U.K, Germany, and Finland. The drives were a mixture of SSDs and HDDs from a range of leading brands, including Samsung, Dell, Seagate, HP, and Hitachi.

The process of recovering personal data

Using our industry-leading solutions and proprietary data recovery tools, we analysed the 159 drives. When our Ontrack engineers found residual data, they worked to recover it and identify whether the data included any personally identifiable information (PII) about the previous owner(s).

The outcome

We found sensitive residual data on 42% of the devices, with 15% containing PII. This meant that for every 20 drives analysed, at least three had PII residing on them!

Some of the PII included:

• A drive from a software developer with a high level of government security clearance. Scanned images of family passports and birth certificates, CVs and financial records
• University student papers and associated email addresses
• 5GB of archived internal office email from a major travel company
• 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules, and truck registrations
• University student papers and associated email addresses
• Company information from a music store, including 32,000 photos
• School data, including photos and documents with pupils' names and grades

One of the major concerns is that each of the second-hand sellers that the drives was purchased from stated that proper data sanitisation methods had been performed – guaranteeing that no data would be left behind.

This highlights a major concern that while sellers clearly recognise the importance of removing data, they are using methods that are clearly inadequate.

Learnings

So, what can we learn from this study? Selling old devices, whether they are hard drives, mobile phones or laptops may seem like a good option, but in reality, there is a real risk of exposing your personal data to people you really don’t want to. If personal data gets into the wrong hands, there can be serious repercussions not just to the seller, but potentially their family, employer, and friends. The last few years have seen a worryingly high rise of cybercrime, so ensuring your personal data is kept safe is more vital than ever.

Finally, the study also highlights that there is clear confusion around the right methods of data erasure. Each seller clearly stated that the data has been permanently erased, but this was obviously not the case. With so many data recovery options now available to buy online, there is a real risk that cybercriminals could have the ability to recover your personal data if you do not follow correct erasure procedures.