A new study has shown that people selling on their old used hard drives or SSDs aren't taking the proper precautions to fully wipe their data from them, with the obvious danger that the buyer may be able to access their personal information – or indeed corporate data in some cases.
This revelation was made by Blancco Technology Group in a report entitled 'The Leftovers: A Data Recovery Study', which examined some 200 drives purchased from eBay and Craigslist (93% of those were hard drives, the remainder SSDs).
Blancco's digital forensics experts then set to work on the drives and were able to recover at least some residual data from no less than 78% of these pieces of hardware. 67% of the used drives held personally identifiable data, and perhaps even more worryingly, 11% of them still held sensitive corporate data that could be extracted.
The forensics experts were able to extract company emails from 9% of drives, spreadsheets including things like sales projections from 5%, and actual customer data from 3%.
As for the personal information gleaned, photos were recovered from 43% of the drives, social security numbers from 23%, financial data from 21%, and CVs from 10%.
That's a lot of potentially damaging information when it comes to both individuals and businesses.
Not really deleted
The problem here is that most people don't realise that deleting files (and then emptying the recycle bin) doesn't actually delete the data. It may be deleted as far as the OS is concerned, but the data remains on the physical drive until it's overwritten by fresh data.
36% of the used drives simply had files deleted like so, but the most common method of wiping was actually a quick format, which the study found was employed in 40% of cases. But even formatting doesn't actually erase the data from the physical drive, and data is still potentially recoverable.
To ensure that data is truly obliterated from a hard drive or SSD, a secure data erasure method must be employed, which involves actively overwriting all traces of data (usually multiple times to make sure that nothing intelligible remains). Only 10% of the examined drives had been securely wiped.
Pat Clawson, CEO of Blancco Technologies, commented: "In even the most technology-inclined companies today, IT executives and CIOs often put most of their attention, resources and budgets towards tackling data security threats. Our study shows the dangers are just as precarious when data isn't securely and completely erased."