Second Hand Drives On eBay Still Have Sensitive Personal Data

Second Hand Drives On eBay Still Have Sensitive Personal Data

Sensitive data has been found on a large number of second hand hard disk drives (HDDs) and solid state drives (SSDs) found on sale on eBay.

A free report from Blancco Technology Group, said that it had worked with Ontrack data recovery specialists to buy disk drives in the United States, UK, Germany and Finland.

And the results were concerning after sensitive data was found on 42 percent of hard drives purchased on eBay. Even worse, the researchers apparently found personally identifiable information (PII) on 15 percent of every drive.

Old data still there

Advertisement
ZoneAlarm Extreme Security

Forbes reported that every eBay seller insisted that proper data sanitisation methods had been used to ensure no data was left on the drives before being offered for sale.

It also reported that one drive belonged to a software developer who had a “high level of government security clearance.”

That drive apparently still contained scanned images of family passports and birth certificates along with financial records.

Other drives were said to have 5GB of archived internal office email from a major travel company, 3GB of data from a freight company.

“Selling old hardware via an online marketplace might feel like a good option,” Fredrik Forslund, VP of cloud and data erasure at Blancco was quoted by Forbes as saying. “But in reality it creates a serious risk of exposing dangerous levels of personal data.”

Ongoing issue

And security experts agreed.

“The problem of sensitive data existing on hard drives available from resellers is a perennial problem with serious implications,” explained Tim Mackey, senior technical evangelist at Synopsys.

“For example, in August 2017 a ‘new in box’ hard drive purchased from eBay was found to contain information relating to the Arkansas Democratic party,” said Mackey. “The purchase of used computers also pose a similar issue as shown when a laptop bought on eBay was found to contain customer information for the Royal Bank of Scotland in 2008.”

“At the time, best practice to preclude data leakage when repurposing computers included wiping the drive using forensic tools potentially using high powered magnets,” said Mackey. “In the intervening decade since these reports, the usage of solid-state drive (SSD) technology for hard drives has boomed.”

“Since SSDs don’t store data in magnetic form, and rewriting blocks of data can shorten the lifespan of some SSDs, new processes to protect data prior to disposal are required,” he warned. “If sensitive data might be stored on the drive, it’s best to consider some form of full drive encryption model. For those situations where certainty is required that data can’t be recovered, the best solution is to physically destroy the drive – an option available from many data destruction vendors. Importantly, if the drive is slated for destruction, it’s important to obtain proof of destruction. After all, if it’s important enough to be destroyed, it’s worth the effort of confirming destruction.”

Advertisement
ThinkGeek

Triple rewrites

Another security expert agreed that this was an ongoing problem and that most people don’t know the best way to delete data.

“Deleting data is notoriously difficult,” said Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.”

“When you put that file in the trash, the data itself isn’t touched, just the information about it,” said Curry. “Even wiping tools often do a poor or partial job, and for a true forensics expert there are still traces and memory at the physical level of data. Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can’t be plugged in easily. The data, however, persists.”

“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace *three times*, which feels a little like overkill to lay people,” said Curry. “It does matter, though, when the data you have is in trust from and for other people.”

“Most hard drives are commodities, so the money you get for them is really not that significant,” Curry added. “If you’re selling systems individually, though, it rarely pays to rip it out for the customer, especially if the hard drives are old and necessary to run a system. As a company, you’re selling in bulk and that’s impractical too. Most importantly, the components in hard drives can harm the environment if not disposed of properly and have huge value to be reclaimed and re-used both for the environment and in the spirit of frugality with natural resources.”

“If you’re going to do this, set up a process as a company for it or go to a professional for wiping as an individual,” he concluded. “There’s definitely opportunity here for enterprising people who want to set up secure wiping services and to build this into recycling and operations processes in IT.”

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Popular Tech News

A quarter of UK adults feel uneasy about using online sharing services

A quarter of UK adults feel uneasy about using online sharing services

12 May, 2019

AI-powered trusted identity as a service provider Jumio has released new details from its Global Trust and Safety Survey...

UK broadband, TV and phone customers must be informed when contract is ending

UK broadband, TV and phone customers must be informed when contract is ending

15 May, 2019

A new Ofcom ruling will go into effect on 1st July, ensuring that phone, broadband and TV companies are more open abou...

UK is 'not a surveillance state' says minister defending police face recognition tech

UK is 'not a surveillance state' says minister defending police face recognition tech

06 May, 2019

Opposition MPs have debated whether automated facial recognition technology should be used at all in the UK, after a p...

Apple plans to make online ads more private

Apple plans to make online ads more private

22 May, 2019

For years, the web has been largely free thanks to online ads. The problem is that nobody likes them. When they’re n...

ExpressVPN UK Review: The best VPN service around

ExpressVPN UK Review: The best VPN service around

11 May, 2019

What impressed us about ExpressVPN the most, is that it has gone the extra mile to provide a great user experience. ...

Nintendo Labo VR Kit UK Review: Virtual reality fun for your Switch

Nintendo Labo VR Kit UK Review: Virtual reality fun for your Switch

10 May, 2019

A year after the Nintendo’s buildable Labo kits was intorduced came a wide range of Labo experiences to pick and cho...

Apple Gives Free MacBook Repairs For Keyboard Flaw

Apple Gives Free MacBook Repairs For Keyboard Flaw

23 May, 2019

Apple has redesigned its MacBook keyboards after the firm admitted that previous models contained a design flaw. ...

Windows 10 Fix can't be restored after you install an update

Windows 10 Fix can't be restored after you install an update

19 May, 2019

Windows 10 administrators who install Windows 10 on a computer may receive a stop error when they attempt to restore t...

Categories

Home Tech Reviews UK

Mobile Tech Reviews UK

×

Sign up to keep in touch!

Be the first to hear th latest Cyber and Tech News straight to your mailbox.

Check out our Privacy Policy & Terms of use
You can unsubscribe from email list at any time