11% of second hand hard drives contain personal information, study reveals

Filed Under: Data loss, Featured, Privacy

Old hard drivesBritain's Information Commissioner's Office (ICO) has discovered that more than one in every ten second hand hard drives contains recoverable personal information of the original owner.

The ICO commissioned the NCC Group to conduct the investigation, who acquired 200 hard drives, 20 USB sticks and 10 cellphones from internet auction sites and at trade fairs.

The devices were then scoured for personal data with alarming results.

In the case of the hard disks, 11 percent contained personal information. According to the ICO report, 37 percent contained non-personal information, and only 38 percent of devices had been wiped. A further 14 percent of the drives were too damaged to be readable.

34,000 of the files examined contained personal or corporate information - including scanned bank statements, passports, birth certificates, employee information, full bank details, family photos, and tax and medical information.

Naked Security has talked before about the danger of sensitive information falling into the wrong hands because of unsafe disposal of hard drives.

We have even seen the details of a million bank customers sold on eBay on a hard drive costing £35.

Such incidents aren't always the fault of the company who owned the hard drives, it can be that they've trusted a third party organisation to handle the secure disposal of assets. But it's always us, the unfortunate member of the public, who is most exposed by the sloppy practice.

Although more and more companies do take a higher level of care when getting rid of old computer equipment, there's clearly still more work to be done.

And don't forget, on a personal level, when throwing out your creaky old Windows computer or Mac laptop to ensure that you have securely wiped it first to prevent your personal data falling into the wrong hands.

(Although there have been concerns raised recently that secure wiping may be less than effective when dealing with some modern SSD solid state disk drives).

Maybe, once again, it's time for users and companies to consider the benefits of fully encrypting their hard drives as well as getting in the habit of securely wiping drives as they are junked?

Pile of hard drives image, from ShutterStock

, , , ,

You might like

17 Responses to 11% of second hand hard drives contain personal information, study reveals

  1. Julie Palmer · 824 days ago

    How does one "Wipe" a hard drive clean to remove all personal info?

  2. Arthur Dent · 824 days ago

    I'm actually amazed that it was just 11%. Most members of the public don't seem to have a clue about how to erase data if they are selling a computer...

  3. Mr Bean · 824 days ago

    There is another way - remove your old hard-drive and either keep it (it can be used as a backup drive for your new one), or SMASH it with a hammer (this could even be delegated to the most foul-tempered member of the family!).

    • Machin Shin · 824 days ago

      I personally have found it great fun to take them out and shoot them. Of course you want to take precautions doing this but it is great stress relief after fighting with a pc.

  4. r00t-Services.net · 824 days ago

    Boot from a Linux live CD, open up a terminal, type "fdisk -l" to list the partitions and then do "dd if=/dev/urandom of=/dev/sda1", where /dev/sda1 is the name of the partition you want to erase. This will securely wipe your data without any special software you need to run from your hard drive.

    • njorl · 824 days ago

      If you leave off the partition number, you can wipe the entire hard drive. E.g. /dev/sda for the first hard drive in the system.

      The shred command is usually much quicker, per pass, because it handles the buffering well. Note that the default for "--iterations=" is 3. (To wipe first hard drive, with a single pass, use "shred --iterations=1 /dev/sda".)

  5. The_J · 824 days ago

    @Julie Palmer: http://www.dban.org/,

    "Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction. DBAN is a means of ensuring due diligence in computer recycling, a way of preventing identity theft if you want to sell a computer, and a good way to totally clean a Microsoft Windows installation of viruses and spyware. "

  6. Annieb · 824 days ago

    I used a product called dban which is very effective and is free PC world recommend it

  7. sdmike · 824 days ago

    At work, I do a 7-pass secure erase (DOD standard) if the drive is still working. I used to do 35-pass, but 1 terabyte drives can take over a week, so that's not really an option. I use either Apple's Disk Utility (Mac) or DBAN for Windows and Linux machines. If the drive is broken, we have a machine shop here that will shred them.

  8. Wolf · 824 days ago

    that percentage seems to be too low. Unless HD are physically destroyed, there will be personal information on it which , with the right methods, can be retrieved.

  9. Chris · 824 days ago

    I use CCleaner to wipe the free space on my HD. Will this not work for the whole drive?

  10. RumpRoast · 824 days ago

    There are no right methods to retrieve wiped data. Once the data has been overwritten, it's gone forever. A single pass is more than adequate, three passes is crazy and the 35 pass Peter Gutmann method is an exercise of the FUD principle.
    http://www.nber.org/sys-admin/overwritten-data-gu...

  11. Freida Gray · 823 days ago

    So, just doing a system recovery to return the computer to the junk that was installed in the factory won't effectively get rid of your personal data?

  12. Tom41 · 823 days ago

    If you delete data off a hard drive normally, the data isn't actually removed - just marked as available space for new files. It's possible for some utilities to recover deleted data like that; potentially giving criminals access to files you thought you deleted a long time ago!

    Worse still, the miniature magnets on the disc surface only have to be magnetised enough for the heads to read a 1 or 0. By comparing the data currently on the disc with the magnetic pattern, it's possible to go back and see what the disc contained BEFORE it was reformatted. Some experts can go back through several revisions of the data on the drive, so it is best to write random data over the whole drive at least 7 times to make sure it's unreadable.

    • njorl · 823 days ago

      Tom,

      Re. "Some experts can go back through several revisions of the data on the drive": do you remember the citation, please?

      The piece RumpRoast linked suggests that can't be done.

  13. I tend to run my computers into obsolescence and never sell them. Before tossing the computers I remove the drives and disassemble them whereupon I then smash the platters. My primary motivation isn't the destruction of the data as many programs do an adequate job at securely wiping the disc, its the magnets inside the drive I'm after.

    These internal magnets are perfect for attaching the kids school art drawings to the fridge door, once applied these magnets are near impossible to remove.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.