Everything from nude photos through to ID scans are cropping up on thumb-sized storage devices sold on the open market.
A study released by editorial tech website Comparitech turned up a range of sensitive files on 200 USB memory sticks resold in secondhand markets. Researchers from the University of Hertfordshire bought 100 of the devices in the UK and 100 in the US, via a mixture of secondhand shops, in-personal auctions and eBay.
The same proportion of second-hand drives from each country – two-thirds – contained a previous user's files, researchers found. Photographs and business documents were the two most common file types, with multimedia, CVs and other private personal documentation also cropping up.
In total, 44 of the drives contained enough information to identify the previous owner.
Some of the files found were alarming. In one case, photos of money and shotguns accompanied a search warrant containing the name of the person to be searched.
Some files were perfect fodder for identity thieves. One USB drive contained a stock trader's passport, along with their addresses in France and the UK for the past six years.
Others were just begging for blackmailers to use them. One drive included nude images of a middle-aged man along with name and contact details, the report said.
These security issues aren’t always down to negligence. In most cases, owners had attempted to remove the data. The problem was that they didn't know what they were doing.
Although 111 of the drives had data deleted, this is easily recoverable using simple forensic tools. Another 24 were formatted, but again, this won't stop someone with relatively basic skills. Deleted and formatted information stays on the drive; only the index pointing to the information is overwritten.
Some owners were more diligent; 34 used proper wiping tools that render data unrecoverable. Another had encrypted the information with Microsoft's BitLocker, again putting it beyond reach.
People often point to users as the problem when files turn up on old equipment, but users are clearly aware of the dangers and are trying to protect themselves. The real problem is that there’s still a divide between the people that design the systems and the people that use them.
At least part of the responsibility must rest with the operating system vendors, who must make it easier to truly delete information rather than quasi-deleting it. Only then will we see the numbers of exposed files on old hardware decreasing. Until then, expect to see more reports like this every few months, with similarly depressing statistics.
The topic of Data Protection will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Data Protection here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
