Study Finds 1 in 10 Used Hard Drives Contains Old Personal Data

Lucas123 writes "A newly published study by Britain's data protection regulatory agency found that more than one in 10 second-hand hard drives being sold online contain recoverable personal information from the original owner. "Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered," Britain's Information Commissioner, Christopher Graham, said in a statement. In all, the research found 34,000 files containing personal or corporate information were recovered from the devices. Along with the study, a survey revealed that 65% of people hand down their old PC, laptop and cell phones to others. One in ten of those people who disposed of their old devices, left all their data on them. The British government also offered new guidelines for ensuring devices are properly wiped of data."

Whoopdie-doo

[timeOday]

Who is going to bother with a time-consuming forensic-analysis style attack with a 10% chance of success when you can break into some company and get thousands of credit card numbers and/or SSNs? Sheesh, if you want credit card numbers, just get a job at any restaurant as a waiter.

Re:Whoopdie-doo

[YodasEvilTwin]

This figure actually seems extremely low. 90% of people know how to properly wipe their drives? Yeah right. And there's essential 0 risk in stealing data off a drive you legitimately own or find in the garbage -- not so for screwing around at work.

Re:Whoopdie-doo

Yes, you put the credit card in the payment book, then they take it away and run it. When they come back you sign the slip.

Re:Whoopdie-doo

[whoever57]

- I have never been to a restaurant where my credit card (or debit card) leaves my possession. And I always pay by either one of them. You actually give someone else your credit card and they then leave your sight with it?

In the USA, yes. That's what normally happens.

Re:Whoopdie-doo

He also always does this (when he goes to a restaurant). And yet he also always never has it leave his sight. Hint: he doesn't leave his parent's basement; this is slashdot.

Re:Whoopdie-doo

[agm]

In the USA, yes. That's what normally happens.

Damn, that's just asking for trouble. There's no way I would let anyone take my credit or debit card out of my sight. The majority of times I do the actual inserting of the card into the machine before entering my pin - the retailer never get their hands on it.

Re:Whoopdie-doo

[icebraining]

Or maybe (s)he lives in a country like mine, where GSM-connected portable card readers (with keypads for PINs) are ubiquitous? I know you're used to your broken payment systems, but you shouldn't assume everyone is.

Re:Whoopdie-doo

[CFD339]

How many Apple "Genii" (Genuses?) will bother to do a drive wipe? What about Geek Squad types? The red shirt guys (now there's a good name) in Staples? Even the ones who know -- will they wait the hour+ while the drive wipe happens?

If I still did stuff like that for a living (thank FSM I don't and haven't in 20 years) I'd b pulling the drives as untouched as possible until I new the data transfer worked as well as possible. Then I'm done -- would I have the discipline to then waste and hour more wiping a drive? Probably not when I was that age.

Re:Whoopdie-doo

[greg1104]

I tried running an in-home computer cleanup firm under the name of the Red Shirt Guys, but every time one of the consultants went on-site they died.

Re:Whoopdie-doo

[hairyfeet]

Or just keep an eye out by the dumpsters. You'd be amazed how many time companies would just sit computers out without even bothering to wipe squat. I've gotten to be friends with the handyman for my apt building and since he works also at some of the city buildings as well as a few businesses and he picks up any machines they are tossing because he knows i refurb PCs for poor folks and it just blows my mind how many times I've found CC numbers, tax forms, you name it on these machines.

Hell he called me once to bring out my truck because one of the local telecos were tossing their old towers when they upgraded. i got nearly 40 towers with nothing but the windows password between me and ALL their data. Of course being an honest man I simply nuked the drives and did clean installs but if I'd have been a bad guy the amount of data I'd have would have been insane. So think about that when you are giving your data to some company, you never know if they just sit their old machines on a curb somewhere.

But I have yet to see anyone recover data from a 3 pass DoD (sure a single zero out will do it, but I've found more companies will hand me machines if I tell them i'll DoD the machine) so please don't go for that insane "hey we'll shoot the drive!" kinda crap as there are a LOT of poor folks hurting in this economy and those old PCs can really help folks. So please just wipe and freecycle, its better for the environment and better for the poor folks around you.

Re:Whoopdie-doo

[agm]

Um, I'm assuming you don't live in the US, or are new to credit cards. Roughly 80% of the restaurants I've eaten in take your card with them to their register, swipe it, and then return it to you. Pretty common.

I live in New Zealand. Paying by "plastic" is pretty much the norm here, and increasingly so the retailer never gets their hands on our cards. The vast majority of restaurants here have you pay on your way out at the counter.

Re:Whoopdie-doo

[hairyfeet]

Well I can only answer that with an anecdote, but from a friend that worked for awhile at a GS to get some extra cash the answer to that question would depend on this one...is there any porn on the drives? MP3? Movies? how about pics of your GF? because he said that roughly half the guys he worked with had USB HDDs that had batch files that looked for anything they might want to snatch, which would explain why you always here of the CP guys getting busted by GS, they trip over the files looking for stuff to snatch.

While I haven't done this personally, in fact i pride myself on not knowing a damned thing about what is on a customer's PC as i don't snoop I just do my job, I can say i have seen this behavior at other shops in the past I even had a creepy coworker that used to brag about how large his MP3 and porn video collection was because he snatched any chance he got. Just one more reason to ask around and find out the rep of the shop you are going to AND to use encryption, hell even something as simple as a password protected zip or rar file would block most of these guys because they are looking for easy targets.

Personally after seeing that the transfer went fine I ask what the customer wants done with the drive and if they don't want it it gets boot and nuked and stuff in the spare drawer and since I keep an old machine in the corner just for that job it isn't a hardship. Many of the newer minitowers can't hold but a single drive at a time so I often end up with a pile of 80Gb-300Gb drives that i then use on refurbed machines for the poor, but it really creeps me out to think there are guys snooping around people's computers just looking for stuff to snatch, its too much like going through someone's underwear drawer...yuck.

Re:Whoopdie-doo

[advocate_one]

UK, they bring the portable reader to you for you to enter the PIN to authorise the transaction... manual swiping is very rare...

Re:Whoopdie-doo

[ckaminski]

I used to have this 10 pound industrial rare earth magnet. This thing was so tough I could put it on an i-beam and suspend 300+ pounds from it. I put it on a monitor once and fucked it all up for eternity.

That's what I used to use to wipe my hard drives. A trip through the tumbler with that thing and GOOD FUCKING LUCK getting anything useful.

Now I just use thermite and turn it into slag.

Re:Simple solution

[YodasEvilTwin]

So it will be the vendor or its employees selling your data instead. Or perhaps the government will force them to scan for any terrorist plots you might have been concocting before forcing them to wipe the drives.

I've never sold a working harddrive in my life

[CubicleView]

And won't until this worrying trend of not including magnets in hard drives catches up to me.

Anecdote

[PPH]

A few years back, I happened to visit my dentist's office just after he had all of his workstations upgraded. By the medical/dental s/w maintenance vendor's technician. While the tech was standing there, I asked my dentist what he was going to do with all his old PC's. Donate them to a local school, he said. I asked if there was any patient data on them. He told me that the vendor's tech had reformatted the hard drives, so that wouldn't be a problem. I asked him (within earshot of that tech) if he had ever heard of the 'unformat' command. I then suggested that he have the vendor investigate DBAN before letting these machines off the property.

I don't know who is responsible for the loss of patent data under HIPAA regulations. But I'd hope that vendors specializing in medical IT support would.

Only 1 in 10?

[hahn]

I would venture to guess that most people don't realize that deleting a file doesn't completely wipe it. The bigger question is, how many people who buy or receive those second hand-drives are looking to recover the data, and what % of them would do something with it that would NOT be okay with the original owner. I'd like to think not that many. But then again, I wouldn't be surprised if there were scammers who look to buy cheap used drives to see if they can dig up some useful info on it. Seems to me that would be higher yield than trying to phish for it with spam, and easier than trying hack websites.

Re:Simple solution

[couchslug]

That would increase what I pay for hard disks.

A shot with a hammer is cheaper than postage. Boom, done.

It's not all bad

[Lord_of_the_nerf]

I uncovered porn and tons of what's now 'abandonware'. Thanks, 16-year old boy from 1996 (I assume)!

Re:Stop saving hard drives. They aren't valuable.

[Gordonjcp]

Taking a hammer to them is too much effort. A single pass of "dd if=/dev/zero of=/dev/sd" will utterly destroy all the data beyond any hope of recovery.

I always smash my old drives with a hammer

[FudRucker]

and then bury them in the back yard and water em real good with a water hose, by the time somebody finds those they'll be as rusty as a pre WW2 jalopy

Re:I always smash my old drives with a hammer

[couchslug]

I harvest the sweet, sweet magnets and scatter them in handy spots around my shop.

If you slide a couple of magnets inside a Zippo between the wadding and the inner case, your lighter will stick to your tool box, cabinet, etc.

Don't pry the magnets off their keepers as they are brittle. Heat them slightly over a stove or lighter and the glue will loosen whereupon you can slide them off.

Only?

[Internetuser1248]

Every 2nd hand hard disk I have ever acquired has had personal data on it. None of the previous owners had even attempted to delete the data all the filesystem pointers were intact. On the other hand none of them ever had any useful data on them, unless I wanted to embarrass the previous owner by sending their porn collection to their wife/parents.

Re:Only?

[doesnothingwell]

to embarrass the previous owner by sending their porn collection to their wife/parents.

Found some porn once on old harddrive it looked like his wife, the joke was on me.

Exactly

[CFD339]

I'd have guessed 9/10 would have data on them. Higher than that if you could real serious forensics and not just dripping the used drive in a reader.

Re:Stop saving hard drives. They aren't valuable.

[greg1104]

Let's say a typical drive is 100GB and writes at 100MB/s. That will average over 15 minutes to write zeros to every sector on the drive. The destructive throughput of a hammer is pretty fast compared to that.

A fool proof method

[dark+grep]

A few years ago I resigned from a company on less than perfect terms. They took the laptop I had been using and sent it for forensic analysis (for some paranoid reason I can only guess). Anyway, the day before I left I had reformatted the drive and loaded Ubuntu to replace the Windows 2000 OS that was on there.

The report from the (so called) forensic lab was that I had 'used powerful encryption to hide the contents of the hard drive'. Hell, I didn't even use a proper overwrite format, just the fast format option.

So there you go. Either a 10 minute Linux install will beat a professional forensic investigation, or it's proof against fools. I favor the latter.

Re:Simple solution

[allo]

this is not true.

on a raid5, you can have the disks arranged like:
disk1: data, AS IS
disk2: more data, AS IS ...
diskN: disk1 XOR disk2 XOR ... XOR diskN-1

diskN is quite useless to get the data, but the other disks contain the data the way it is.