Over 70,000 Personal Files Found on 100 Second-Hand USBs

Written by

Researchers have discovered tens of thousands of personal files on second-hand USB sticks they bought online, including some highly sensitive financial data.

A team from Abertay University bought the thumb drives on eBay to investigate whether second-hand storage devices pose a malware threat to the buyers, or a privacy risk to the sellers.

Although they didn’t find any sign of malware on the 100 purchased drives, around 75,000 files were easily recoverable using publicly available tools.

“More effective ways of enlightening the public are needed, so that private data is not unwittingly leaked via sold used media,” the report’s authors said in the research abstract.

That is an understatement: among the undeleted data was information on tax returns, contracts, bank statements and passwords. Only around a third of the USB sticks (32) had been properly wiped.

Karen Renaud, of Abertay’s cybersecurity department, said the potential for such information to be misused with serious consequences is “enormous.”

“An unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread,” she continued.

“They would likely be able to find a seller’s email address from the files we found on the drive. They could try to siphon money from the bank accounts or even blackmail a seller by threatening to reveal embarrassing information.”

USB owners wanting to sell devices online were urged to use software to permanently wipe them first. Otherwise, they should “destroy it with a hammer,” the researchers advised.

The dangers associated with removable media security have been well publicized over recent years. In 2018, regulator the Information Commissioner’s Officer (ICO) fined Heathrow Airport Limited  £120,000 after a memory stick containing highly sensitive information was found plugged into a library computer in west London.

It contained around 1000 unencrypted files including information on the security measures used to protect the Queen on an upcoming visit.

What’s hot on Infosecurity Magazine?