Beware dodgy computer repair work – your data is at risk along with your wallet

Sometimes-outspoken and always-cynical IT news site The Register wrote yesterday about dodgy PC repair shops in its home country, England. [*]

The report was based on an exposé by the investigative TV programme BBC Watchdog. (Users with UK IP numbers: watch here.)

The usual sorts of problem you might expect from any shonky operator in any maintenance or repair business in any industry sector were there: overcharging, bogus diagnosis of “faults”, and old parts sold as new.

Passing off old parts as new is plain dishonesty in any industry – but it’s more dangerous in some than in others.

The hazards in the engineering, electrical and automotive industries are obvious: old parts, especially if they were taken out of service because they were faulty, might be physically dangerous. They’re certainly likely to mess with any future scheduled replacement cycles.

In IT, however, an old electronic part might have loads of life left in it. Hard disks fail eventually, but they don’t wear out like chainsaw blades or cam belts. The problem is not what they may have lost in their life so far, but in what they have gained: other people’s data.

In the Watchdog programme, apparently, that’s just what happened, with a used hard drive supplied as new at the impressive price of £200 ($320). The “new” drive, it seems, turned out to contain medical records from a residential care home. (To add insult to injury, the “faulty” drive it replaced wasn’t actually broken.)


There are four obvious lessons in this:

  • Before you hand your computer to a third party, take as much time as you can to decide whether you should trust them. If you aren’t sure, ask for advice from an IT-savvy friend or family member whom you know well and trust. Be wary of positive recommendations in open online forums and blog comments. They could come from anyone, including the company apparently being recommended.
  • Consider using full-disk encryption so that if your computer needs to go in for repairs or an upgrade, you don’t inevitably have to give the repairer (or anyone else in the repair chain) access to all your data. The repair may not need your computer to be started from your hard disk; if it does, a pre-boot password means you can ensure that you need to be present whenever it is booted up.
  • Consider using full-disk encryption so that if your hard disk fails, or you if you retire it for another with more capacity, you don’t have to worry about what happens to it later. Even if it ends up in someone else’s computer by accident or design, the data will be invisible to the new owner.
  • If you’re a computer repairer and you plan to use a second-hand disk, be honest about the fact that it’s not new, and wipe it first, at least as best you can. An end-to-end overwrite with dd if=/dev/zero after booting off a BSD or Linux recovery disk is a good start and will reduce the chance of data leakage. Sure, the process takes a while, but it doesn’t require any interaction.

And if you do find someone else’s data where it’s not supposed to be, please do the right thing. Wipe it without examining it, or (assuming that it’s obvious where it came from without prying too far) do what BBC Watchdog did: return it to the original owner.

[*] I am aware that England is not a sovereign independent state, and that it doesn’t have a government all of its own. But it fits better in this sentence position than “United Kingdom” or “UK”, and if FIFA can treat it as a country, so can I.