Slashdot Mirror
Ask Slashdot: How To Deal With Refurbed Drives With Customer Data?
An anonymous reader writes "I just received 3 'refurbished' SATA drives from Newegg. All 3 had some sort of existing partition. Most appeared to be factory diagnostic partitions, but one had a full Dell Windows XP install complete with customer data. How big a deal is this? Should I contact someone besides Newegg about this?"
First, have a look at the data. Then decide.
Choice #1: Send the drives back and demand ones without confidential data on them.
Choice #2: Use a utility like HDDErase which uses low level ATA commands to tell the controller to wipe the drive. This will wipe every sector, even ones that are bad, relocated, or protected ones. After that, follow up with DBAN for good measure.
After that, don't worry about it.
http://dban.org/
Enough said.
Music is everybody's possession.
It's only publishers who think that people own it.
Fuck Beta
~John Lenno
Technically it qualifies as a Data Breach Incident. Depending on the industry the original drive belonged to shit could hit the fan.
The fault lies entirely with the original owner for not wiping the hard drive before returning the equipment. NewEgg is ot in the data wiping business.
Of course the easiest thing for you to do would simply be to repartition it and reformat it.
Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing
www.dban.org/
Just wipe the drive and move on. You don't want to know, and it's too much hassle besides.
The responsible thing to do is to make a TGZ of the contents and post it on Pirate bay. Zero the empty space to achieve the best compression, although someone might like rooting around in the raw data..
Do not look at laser with remaining good eye.
Why bother? Ignore it. Dumb question. Move on.
Run a few times (>=2 ) the command:
dd if=/dev/urandom /dev/sdx bs=4096
The solution is a little bit harder if you don't run Linux: install it first.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Well on one hand, it mustn't be important data if they just resold the drives. I'd just wipe them and move on.
On the other hand, you essentially have a pirated copy of Win XP now, plus a bunch potentially sensitive data. So in the interests of limiting liability on your part and on NewEgg's part (or whoever provided the drives to NewEgg) it makes sense to inform them.
First off the drives are yours, but the data isn't. You are within your rights to wipe the drives clean and use the drives as you wish, BUT I would highly recommend contacting Newegg about this data privacy breach. The data on those drives is defiantly not yours and Newegg should NEVER sell a drive with personal data on it (no matter how confidential it is). Someone should be losing their job over this.
I've gotten drives I purchased as new from Amazon and Newegg with exsiting Windows installations on them. In fact, I'd say I see it maybe once in every 30 drives I get. I buy enough drives that I see six or seven such drives in a typical year. Once I got a drive that was clearly part of a Windows SoftRAID before I formatted it.
Personally, I send those drives back. They clearly aren't new and they're not fit for sale in that state. I'm not paranoid enough to go looking at the SMART data for power on hours but when I run across drives like that it makes me think I should. Amazon will pay return shipping on drives in that condition. That is a good reason to buy drives from Amazon.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
I can't help but be reminded of this scene from the movie Old School:
Mitch: Sorry, your seat belt seems to be broken. What do you recommend?
Cab Driver: I recommend you stop being such a pussy. You're in the back seat.
Just don't even worry about it. Nobody you complain to is really going to care. Give it a quick scan for anything interesting, and format once you're done.
I'd ask if you can do an exchange for one with Windows 7 on it, since XP is getting pretty long in the tooth ....
Seriously though, it sounds like NewEgg is usually putting the used drives through some sort of diagnostic process, if they all had special partitions on them for the purpose. Maybe they simply need to train their bench techs to wipe the drives first, instead of making the assumption that creating the new partition is ensuring any old data on the drive becomes unreadable/inaccessible?
There are some eastern european 'gentlemen' that will pay top dollar for quality information. Just extract the names and social security numbers, you can keep the drive.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
That is a good reason to buy drives from Amazon.
So Amazon selling used drives labeled as new is a good reason to buy from them? Sounds to me that you need a new vendor. And if you're buying 210 drives a year (one used drive every 30, and you see 7 used drives a year), I highly recommend you get some sort of direct wholesale or resellers account instead.
I would think a reformat would be a standard part of any retesting procedure.
I don't suffer from insanity, I enjoy every minute of it!
First check for free porn, then call New Egg about it.
Tea and kung-fu. Life is good. Rising Phoenix
Quite a few years ago we bought an allegedly new drive from a bay area electronics retailer, and found it to contain some sort of raw partition containing a list of the names of approximately HALF THE PEOPLE in the United States along with some "number". Those of us who were listed in the data were unable to figure out what the number might be (an account number etc.)
Eventually we got bored with the data and put the drive in service for its originally intended application.
I wrote up the event and sent it off to the RISKS list, especially as Peter G. Neumann, the moderator of RISKS, was listed in the data, but they didn't publish it.
G.
If it doesn't have the same diag partition, then NewEgg didn't do their usual refurb testing on it. Which means that there's a chance it's not in as good a shape as the others. So send it back and make them give you one that's been properly refurbed. There's no excuse for them not to have wiped the drive in the process of testing it before they resold it.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Yea, I suppose you think that's Newegg's responsibility?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You don't need to write 0s or random data to disk, just format that sucker and start using it. Also, if you want, email New Egg to tell them about the problem. Maybe they'll forward the message onto the supplier who refurbishes drives and resells them without wiping the data first.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
I assume you don't have any LEGAL obligation to do anything other than not try to view the data. If you have any reason to suspect otherwise, ignore this entire Slashdot threat and call a lawyer.
Now the question is, how much do you WANT do do, which boils down to "at least as much as your conscience requires" and "not so much work that you'll wish you'd never ordered the drive in the first place."
At the low end of the stress scale, take an earlier poster's suggestion and use HDDErase or something similar followed by DBAN should make sure you don't ever stumble across their data. Sending it back to NewEgg accomplishes the same thing.
If you send it back, I wouldn't use the normal return method. Instead, I'd write a letter to a high-level executive and include a copy of the drive-plate cover, a screen-shot, and a copy of your order along with a request that the executive do what it takes to make sure this never happens again, then ask for instructions to return the drive. Send the letter by certified mail. Keep copies of all correspondence.
At the high end of the stress scale, you can probably complain to a government agency, as NewEgg may have violated the law.
There are other options in between.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Order more drives. Hope for jackpot.
-- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
...as they say, is nine-tenths of the law.
Contact the original owner, and extort them for $50k. It worked so well for Anonymous and Symantec.
Karma: 0 (But I wield a mean +10 Vorpal Apathy)
Only you know how much you care, so only you know how far to go to do something about it. If it were me, I'd look at the files to see if there was something interesting then go from there. Otherwise DBAN and deal with it.
I swear to God...I swear to God! That is NOT how you treat your human!
You'd be surprised.
Long time ago I temp'd at a place that did computer recycling for various companies, mostly for a company that was a large depot of home supplies...Turns the hard drive security wipes were a "dog and pony show", to quote the supervisor. I was instructed to run the formatting utility for about 5 seconds, and then hit cancel and throw it in the "done" pile. "That gets the first part of the drive, the rest doesn't matter."
The people that do this kind of thing have hundreds of drives to do for the day, and there is no QA, so throwing a few in the done pile without clearing it just makes you look good for being extra productive, and nobody gives a shit about the data. Never cheated myself, though I probably should have. I was fired after two weeks, go figure.
The real path to male liberation
Someone along the chain swapped the RMA'd drive for one they had hanging around. They get a refurbed drive with (hopefully) more lifetime left before failure (and the ability to return it if it does die), you get a ticking time bomb and no warranty.
If the hard drive was sold as new and had somebody's data on it, that's a strong case against Newegg.
But this is a used hard drive, and it's not Newegg's responsibility to wipe it unless they're advertising that it's been wiped. Newegg's responsibility is just to test it to see that it works (and fix it if necessary) before selling it as refurbished. Wiping the data is the responsibility of the previous owner of the hard drive.
Having said that, it would be a good idea for them to at least do a quickformat before selling it.
---------
There is inferior bacteria on the interior of your posterior.
It would be good for the rest of us to know which manufacturer is sloppy with handling their refurbs.
Yes.... Tell everyone on Slashdot!
Honestly we used to use bulk erasers like crazy on customer drives that needed to be wiped. Those old radio shack powered bulk erasers do the trick every time time. Otherwise just search for 'bulk eraser hard drive' on google or bing and you should be able to find somebody who sells one or try ebay. Old school tricks still work most of the time, this is one of them from the 80's.
Customer data should be destroyed. Whats stopping that data from containing credit card information, personal contact information or even business information. Newegg shipping drives that contain customer information is completely unacceptable. Granted it's the customers job to erase the data in the first place but it's Neweggs job to assure it's completely gone!
good customer service when a mistake does come up
happened to me one time I bought a new CD that was already scratched - covered the return shipping and sent out a new one right away.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
If I have a HD that has failed I pull the disks out and use them for Christmas ornaments. I don't trust sending them back. The rare earth magnets are useful too.
If you intend to reuse the drive, you can't use a bulk eraser (except for the ancient stepper motor MFM drives), because doing so will erase the servo information which typically occupies one platter surface. Once this info is wiped out, the drive is unable to operate unless the servo tracks are re-written using specialized equipment, typically only available to drive manufacturers.
Remember "News for Nerds, Stuff that Matters"? Help make it a reality again! http://soylentnews.org
I once had to wipe some disks before throwing them out (nothing really sensitive or important). But they were SCSI and I didn't have a SCSI enabled PC handy and I couldn't be bothered setting something up or downing a server to do it, etc.
So I came up with a technique for making the disks safe for disposal.
First, I threw them out the 2nd story window a few times. Then I hurled them at the ground a few more times as hard as I could for good measure.
Then I put them in a plastic bag with a heap of dog shit and water, tied the bag up and put them in the bin. If anyone still wanted to try to retrieve that data, they've earned it.
True Story. Still makes me smile.
If you intend to reuse the drive, you can't use a bulk eraser (except for the ancient stepper motor MFM drives), because doing so will erase the servo information which typically occupies one platter surface. Once this info is wiped out, the drive is unable to operate unless the servo tracks are re-written using specialized equipment, typically only available to drive manufacturers.
Ahh, thats very interesting. I retract my suggestion then!
There are two questions:
a) If you have drives with customer data of your customers and wish to refurbish them.
Here the answer is easy: Don't, if you don't have hundreds of drives, creating a safe procedure costs more than the drives will yield.
Every disk (that leaves us for ever) has an appointment with a drilling machine.
b) If you bought a refurbished drive with customer data on it.
Delete it before reading. Anything else brings trouble you're not getting paid for.
CU, Martin
I would suggest the following:
1) Contact the original owner of the drive offering to archive the data to a DVD, and send it back to the original owner of the drive/data.
2) Contact NewEgg informing them of the data breach.
3) Preserve the hard drive intact in case the original owner of the drive wishes to take legal action against NewEgg.
4) Contact your own lawyer to confirm the above BEFORE contacting ANYONE!
IANAL
If it's the right sort, I'm sure Julian Assange and WikiLeaks would be interested.
I once went over an "unwiped" drive looking for pron. What I found was a folder of "racy" photos the previous owner took. Unfortunately she was twenty years older than me, had about 200 lbs on me, and had a penchant for butternut squash, a food I can not eat to this day.
Knowledge is power, ignorance is bliss, and no amount of eye bleach will remove some images.
The thing with Amazon is that they have transitioned over the years from being a large online retailer to being an even bigger venue for others to sell their goods. The value they add is mandatory good customer service. If something goes wrong with the order I know that I will get a refund or exchange and won't have to go through hell to do so. I have had enough problems with NewEgg and most every other online retailers that I am more than happy to let Amazon be the middle man for my transactions.
Contact the person whose data was on the drive. I suspect that they'll take care of contacting Newegg for you...
Although if they're not smart enough to wipe a drive before returning it...maybe not.
Whomever Newegg purchased the drives from is at fault. If a person has a HDD die under warranty, they can't necessarily run DBAN on it before they return it to the manufacturer for replacement. Definitely let NewEgg know that these refurb drives weren't refurbished very well. If it were me, I would try and use the data on the drive to find out who it belonged to, and let them know what happened. If you file a complaint that you found someone's data on a drive, they really won't care and will just tell you to wipe it. However, if someone ever purchased a refurb drive and found my data on it, I would want to know so I could inspire some fear into the hearts of the manufacturer.
In Soviet Russia, dot slashes YOU!
Do what somebody above suggested, zero the drive and run Spinrite on it. If it fails, send it back to Newegg telling them that it not only still had customer data on it, but if failed testing.
Or see if you can identify the company it came from and send them the disk, telling them where you got it from. If it's a big company, go through their website and find their compliance officer's office or equivalent. This is entirely up to you, but *don't* boot it. Depending upon how security conscious they are, it just might dial home.
I am Homer of Borg, resistance is - Ooo Donuts!
Shove it on Megaupload!
Whereas in any country in the EU they'd scan the drive for kiddie pr0n and have a pr0n party?
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
I'd be worried that it was not even refurbished, but connected up, and it seemed to work properly, so they just reboxed it, and off it went to Newegg. Especially if the manufacturer of the drive has ever had a firmware update for it. Many times the refurb will look at the problem, and try to decide if it was hardware or software related, and if they decide software, then reflash it, and move on to the next one in the pile (hello smartphones).
If you look closely at it, does it show any differences compared to the other two? Warranty Void stickers, screw head marks, screw torque, anything that might indicate it was handled with a different process than the other two you have?
It sounds like it doesn't have the same diag partition as the others, how was it verified?
I'd ask for a new one, and not stop asking til it is the same as the other two.
Cheers
Go through it and look for pr0n.
And if you find any, don't forget to post it to 4chan, we want to take a look at it too.
"I don't trust sending them back." Why should I not get a replacement when it fails during the warranty? And this is exactly ONE of the reasons why you should encrypt your data.
It doesn't say "used", it says "refurbished". That means "used but cleaned up, repaired if necessary and tested to work satisfactorily."
thegodmovie.com - watch it
I pretty much just go to local places. Even with the sales tax and the TSA line at the end of a Fry's trip, at least I'm seeing what I'm getting before I check out, and they seem to be pretty good at marking restocked boxes.
If I have been able to see further than others, it is because I bought a pair of binoculars.
No decision needed. Look all you want, but the liability is on you if someone decides your computer is of interest and data is questionable. Unless you report it to vender in a verifiable way, data on the drive, even if it was not yours, is now yours in any examination. Report it in writing or no evidence will exist to point in someone else's direction for liability.
Wiping beyond technological limits of retrieval is important with both criminal liabilities and civil copyright liabilities. The odds of old data being a problem in your life may be low, but it would be icing on the cake with any situation bringing your drive to the attention of some types of investigations.
Call it paranoia if you like, but why drive around in your new used-car with a suitcase in the trunk that came with the car without knowing precisely what is inside. Remove the suitcase, or examine every square inch of it looking for contraband..
I once received a 'new' laptop drive from Fry's a few years ago that had a fully working Win 98 install, complete with AOL and stored logon information. Ok, it was more than a few years ago, but still. This is why I consider hard drives to be consumables, like toner cartridges or keyboards. Once it fails, DESTROY IT and throw it away. The cost of purchasing a new drive, instead of replacing it under warranty, is nothing compared to the risk you take by letting your data fall into some strangers hands. Unless the vendor will allow you to receive a new drive on the condition that you destroy the old one and provide a certificate of destruction, just write it off and dispose of it safely.
Over 200 responses and not one person have given the correct answer:
"Nuke it from orbit just to be sure."
Seriously this is the only viable solution.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Oddly enough I have a story involving both Newegg and Memory Express.
I recently moved away from a city which was home to my favourite store (Memory Express) and needed to buy micro SD cards. I couldn't buy from ME's online store because they didn't handle my method of payment, so I bought a card from Newegg for a bit more money and a lesser known brand. (the same brand was way more money on Newegg). I tested the card, and it was a class 4 card with a class 10th label on it. Of course Newegg only refunds price not shipping, so I'm out a lot of money and still no decent SD card. I'm holding out until my next road trip.
Moral of the story: Don't trust Newegg. Even if they do return the money, they aren't worth it.
I used to be a loyal Newegg customer, but their shipping practices leave much to be desired. They used to be blazingly fast, but now they pull some move where they ship via DHL and then hand off to the post office (or the other way round...). Shipping time is poor and they just throw hard drives in a box with no packing. Pretty risky. Not as bad as buying a car battery from Amazon though [They ship it to you and if it is defective, they tell you you can't send it back because a lead-acid battery is hazardous material!]. Last drive I bought was from Microworx which is local to me in Rochester, NY.
Sorry, but gray text on gray background is making my eyes bleed.
How do you wipe a defective drive? Sometimes you have a small window before it dies, sometimes it won't power up at all. It's up to the refurbisher to refurbish it into a like new condition, and that includes wiping any data (which should naturally occur anyway as part of testing).
That being said, unless it's an encrypted drive, I won't typically send it back, eating the cost.
I am genuinely interested in what you are talking about, do you have more information ?
int main() { while(1) fork(); }
http://en.wikipedia.org/wiki/Servowriter
http://www.me.berkeley.edu/~horowitz/Publications_files/All_papers_numbered/186c_Nie_ACC10_TutorialonSSTW.pdf
Remember "News for Nerds, Stuff that Matters"? Help make it a reality again! http://soylentnews.org
Most people seem to not have much of an idea just how much personal data they have unsecured on their workstations. I was disturbed a decade ago now to have discovered confidential information on Police & Sheriff's HD's that were being auctioned off by the County i worked for. All sorts of highly confidential data was left on the drives without a care in the world. Given people's concerns about Privacy these days, it's disheartening to read that a company like NewEgg isn't doing a damn thing to ensure they are not propagating potential identity theft. Epic Fail NewEgg, Shame on you!
You comb thru the data to find anything incriminating and then extort the owner. Seriously, are you not an American?
If there was something *bad* on the drive, it might still be hanging around. Leave it running for a day or so with DBAN.
Depends on whether it's Newegg that does the refurbishing.
It may be that the drive was send back to the manufacturer, who fixed some issue (but didn't wipe the drive) and then gave it to Newegg for resale.
Yeah, no.. I did something like that once. My family was a fairly early adopter of cable internet when it was The Wave from Rogers in Ontario. Me, being a nosey youngster with some computer knowledge, was poking around in network neighbourhood noticing that a lot more computers showed up than the 0 that I expected. I started looking around saw a folder called "Pictures". Let's just say that I learned a lesson I won't soon forget about sticking my nose where it didn't belong, along with a lesson I wish I could forget about sticking other things where they don't belong.
See this "Triple core" CPU. It's actually a dual-core
Awhile after Xmas, I ordered the last unit they had. I returned it as soon as I got it and found it to be a dual-core. After my return, their stock went back up to 1. I believe the description has now changed a bit to indicate "Multi-Core: Dual-core", but the short description still says "triple core"
I called to report that they were still selling a dual-core as a triple-core, but it's STILL got a header calling it triple-core.
I'd be very wary of buying anything from amazon.
Gotta love the spammers. They never stop trying.
Serious? Seriousness is well above my pay grade.
I suspect they're coming that way from whomever is supplying my vendors. I've seen "new" drives containing data from a wide variety of vendors over the years including Amazon, Newegg, Provantage and CDW. For all I know they're coming out of Seagate or Samsung's factory that way. I buy drives in large enough quantities to get sealed cases full of drives rather than random one-off units someone shoved in a static bag and wrapped in bubble wrap, so I tend to think the boxes I'm getting have probably been unmolested since they got unloaded from whatever boat they came off of in California.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
This is why we DBAN any laptops we have before we recycle them, and every laptop gets 256 bit AES FDE before it ever touches a user's hands.
I mean, seriously... should you ever come across such an HDD with classified, secret or even top secret data on it, what are you supposed to do? You can't even send it back, because you will be charged for having had a glimpse at classified information, right? But if you simply reformatted the drive, or destroyed it, you may have nuked important information that may not have been backed up. Pretty hairy stuff.
cpghost at Cordula's Web.
1. buy car battery
2. buy 1m of heavy gauge single core cable (2.5TE grounding conductor is ideal)
3. wrap cable around hard drive no more than three times
4. trim cable so the ends reach to the conductors on the battery and no more
5. apply cable to battery, wait for the spark. No more data.
home improvised EMP bombs rock.
Operation Guillotine is in effect.
To heck with pr0n, it might have bitcoins!
-- Terry
You might also look for any clue about original owner and inform him about it. And of course wipe the data.
Just to help you in deciding I would like to share two stories of mine.
I have once found a USB stick. I checked it out and found who is its owner. He was glad that I returned it to him and paid me for it.
Another one is about external HDD I had. It died one day. But I had some data that was not in any backup. So I opened it and put the drive itself in computer. I have downloaded data and wiped disk. Then I put it back into its enclosure and returned it back. It was not simple as WD external disks have security sealed screws and some plastic locks. But after getting disk out of enclosure, then it was very easy to get data out.
The reason they are refurbished may be that
the system they went into was infected with a
virus. For this reason alone you need to format/ dev/zero
the drives. Do not forget the MBR...
If you do look at the data then you have a potential liability.
What if the twit visited a site that hacked the box and cached
kiddie porn... you would be OH so screwed.
All the reasons for returning the drive are not evil
but how the heck would you know.
So what to do... .pop it in a system and boot that ;)
system with a DVD/ CDROM/ USBkey based OS and
give it a look...
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.