Beware dodgy computer repair work - your data is at risk along with your wallet

Filed Under: Data loss, Featured, Security threats

Sometimes-outspoken and always-cynical IT news site The Register wrote yesterday about dodgy PC repair shops in its home country, England. [*]

The report was based on an exposé by the investigative TV programme BBC Watchdog. (Users with UK IP numbers: watch here.)

The usual sorts of problem you might expect from any shonky operator in any maintenance or repair business in any industry sector were there: overcharging, bogus diagnosis of "faults", and old parts sold as new.

Passing off old parts as new is plain dishonesty in any industry - but it's more dangerous in some than in others.

The hazards in the engineering, electrical and automotive industries are obvious: old parts, especially if they were taken out of service because they were faulty, might be physically dangerous. They're certainly likely to mess with any future scheduled replacement cycles.

In IT, however, an old electronic part might have loads of life left in it. Hard disks fail eventually, but they don't wear out like chainsaw blades or cam belts. The problem is not what they may have lost in their life so far, but in what they have gained: other people's data.

In the Watchdog programme, apparently, that's just what happened, with a used hard drive supplied as new at the impressive price of £200 ($320). The "new" drive, it seems, turned out to contain medical records from a residential care home. (To add insult to injury, the "faulty" drive it replaced wasn't actually broken.)

Ow.

There are four obvious lessons in this:

  • Before you hand your computer to a third party, take as much time as you can to decide whether you should trust them. If you aren't sure, ask for advice from an IT-savvy friend or family member whom you know well and trust. Be wary of positive recommendations in open online forums and blog comments. They could come from anyone, including the company apparently being recommended.
  • Consider using full-disk encryption so that if your computer needs to go in for repairs or an upgrade, you don't inevitably have to give the repairer (or anyone else in the repair chain) access to all your data. The repair may not need your computer to be started from your hard disk; if it does, a pre-boot password means you can ensure that you need to be present whenever it is booted up.
  • Consider using full-disk encryption so that if your hard disk fails, or you if you retire it for another with more capacity, you don't have to worry about what happens to it later. Even if it ends up in someone else's computer by accident or design, the data will be invisible to the new owner.
  • If you're a computer repairer and you plan to use a second-hand disk, be honest about the fact that it's not new, and wipe it first, at least as best you can. An end-to-end overwrite with dd if=/dev/zero after booting off a BSD or Linux recovery disk is a good start and will reduce the chance of data leakage. Sure, the process takes a while, but it doesn't require any interaction.

And if you do find someone else's data where it's not supposed to be, please do the right thing. Wipe it without examining it, or (assuming that it's obvious where it came from without prying too far) do what BBC Watchdog did: return it to the original owner.

[*] I am aware that England is not a sovereign independent state, and that it doesn't have a government all of its own. But it fits better in this sentence position than "United Kingdom" or "UK", and if FIFA can treat it as a country, so can I.

, , , , , , , ,

You might like

7 Responses to Beware dodgy computer repair work - your data is at risk along with your wallet

  1. silvery · 647 days ago

    In Russia we often remove HDD first, when took pc or laptop to service for that reason.

  2. Jay · 646 days ago

    England, while not a sovereign state on its own, certainly IS a country; no need to apologize for calling it one.
    http://en.wikipedia.org/wiki/Countries_of_the_Uni...

  3. deanna wynn · 643 days ago

    One should choose wisely which computer repairs company to choose to avoid disaster.

  4. S the tech · 641 days ago

    As a repair tech I am rarely surprised by what I see as I always ask first if there is anything that no-one else should see. I don't care about porn - it is all over the place, but would report if I found kiddy-porn. As far as encryption - great idea unless your drive failed and you really need the data that is on it. By all means encrypt but you better do constant backups as well. I cannot successfully recover encrypted files on a failed drive. You can always password protect your drive - that usually costs me an extra 2 minutes to defeat it. Bottom line - don't do illegal downloading.

  5. augustapcrepair · 635 days ago

    I don't go poking around in someone else pc, no reason for it. I go as far as what ever the repair requires or the customer requires

  6. The problem is that users, when a computer crashes, are so upset and worried that do not minimally think about their data: they just want and need their things fixed. The article makes good points but the reality is that personal information is leaked first through websites and credit cards and then into the bytes of internal hard drives.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog