More than 15% of used drives sold on eBay still have personal data on them
Three out of every 20 drives —15 percent — recently bought on eBay had personal information on them, including passport numbers, financial records, and other data that could be easily accessed — by anyone. The findings are from a recent study by data security firm Blancco Technology Group with Ontrack, a data recovery company, which bought — at random — 159 drives off eBay and tested them for stored data.
Read More:
- Some people won't trade in old devices, because they're worried about their data
- 6 best VPM services to help keep you laptop and data secure
- California Oregon lead the way in smart home security
A substantial number of drives — 42 percent — still had what's called "sensitive data" which would include details like company files or video recordings — but not information that could be tied to "an identifiable person," as the report, "Privacy for Sale," described.
But more concerning were the 15 percent of the drives that had passport numbers, birth certificates and even financial records. These details can be easily used to take over someone's identity, and cause havoc to someone's financial life from filing a false tax return to draining bank accounts.
Wiping files
Blancco's staff bought the computer drives — from laptops and desktops belonging to Macs and PCs— between September and October 20, 2018 from the U.S., U.K., Germany and Finland. The drives were from multiple brands including Samsung, Seagate, Hitachi — with OEM drives coming from HP and Dell.
Blancco found in February 2019 that one out of six people won't trade in their old computers and smartphones because they're worried about what might happen to their data. That concern may be founded. Sellers of the drives purchased for the April 2019 report stated that the drives had been wiped before being listed on eBay. But after analyzing the drives, Ontrack found that 25 still had personal data on them, with 66 still containing other data.
Often consumers are told to reset a device to its factory settings before turning it in for resale. But this step may not be enough, Fredrik Forslund, VP of cloud and data erasure, Blancco, told GearBrain.
"If you do a simple system reset on a device that is quick, i.e. takes a few seconds, it is the same thing as resetting the device but not erasing any information securely," he said. "That means you can recover data running software on that device."
While a quick reset, as described by Forslund, erases the index, a full format overwrites the entire disk with zeroes.
Personal data found
That clearly didn't happen on 25 of the drives which Ontrack and Blancco found contained the following details:
- Thousands of photos from a woman in Denmark, along with her name and those of her friends
- Details on students with photos, names and grades in Microsoft Word and Excel files from a single school
- Scanned images of family passports, birth certifications, CVS and financial records from the drive of a software developer with "a high level of government security clearance," according to the paper
Blancco said that all the drives were completely erased when the research was finished. But people who are still thinking of selling their disk drives should consider choosing a method that will ensure their data is completely wiped.
"Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data," said Forslund. "By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members. It is also clear that there is confusion around the right methods of data erasure, as each seller was under the impression that data had been permanently removed. It's critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it's truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime."