Second-Hand Storage Devices Offer a Trove of Personal and Business Info

Buying second-hand data storage devices, like remote hard drives, is a fairly common practice—but all too often, those devices contain traces of data that enterprising new users can recover fairly easily.

To analyze the issue, Kroll Ontrack purchased 64 drives from various sources over eBay (from private sellers/consumers in the US, Germany, France, Italy, the Asia-Pacific region, Poland and the UK). It looked at whether the used drives had been successfully wiped clean or still contained any traces of data. The study found that traces of data remained on 30 drives (47%), while the remaining 34 drives had been successfully cleaned (53%).

Alarmingly, these innocent oversights allowed the new owners critical access into the previous owners’ identity. Eighteen of the 64 drives examined were found to contain critical or highly critical personal information. Nearly a third (21 drives) contained personal photos, private documents, emails, videos, wedding photos, audio or music. User account information was discovered on eight drives, including log-in data such as first name and last name, contact details, email address, online account names and passwords.

 “Despite user efforts to erase data, it can often be recovered if not done properly—this makes selling personal digital devices a matter of identity protection,” the firm said. “However, the likelihood of finding access to personal information was not the most concerning finding, but rather how sensitive that information often was. For the careless or uninformed user, selling personal data devices is little more than selling your identity.”

In the case of one drive, it had belonged to a company that used a service provider to erase and resell old drives. Despite that, the drive still contained a wealth of highly sensitive information, including user names, home addresses, phone numbers and credit-card details. It also contained an employee list of around 100 names that included information about work experience, job titles, phone numbers, language abilities, vacation dates and a 1MB offline address book.

Transactional data was recovered from nearly every seventh drive (9 drives). This included company names, salary statements, credit-card numbers, bank account info, investment details and tax returns.

One drive still contained a record of browser history, while explicit data was located on another.

“The personal realm was not the only one affected, as work-related information also finds its way very often onto private devices,” Kroll Ontrack said. “As such, business data extracted from the drives was also not in short supply.”

Six drives were found to contain critical business data such as CAD files, PDFs, JPGs, keys and passwords. Kroll Ontrack even found full online store set ups, configuration files and POS training videos in their scour of these six drives. A further five contained other work-related data: Invoices and purchase orders, much of it including sensitive personal information.

The study differentiated between HDD and SSD drives, noting the growing trend toward flash devices (SSD). Though SSD drives were by no means immune to identity risk, they tended to facilitate more successful data wipes. Of the 64 drives purchased in total, 37 were HDD and 27 were SSD drives. Over half of the HDD drives contained traces of data while only a third of the SSD drives did.

What’s Hot on Infosecurity Magazine?