One in 10 secondhand hard drives in U.K. contain personal data
Survey by U.K. agency finds that 65% sell or give away their personal devices to others, many without scrubbing data
Computerworld - A study by the U.K. Information Commissioner's Office found that more than one in 10 secondhand hard drives sold or given away in Britain contains recoverable personal information of the original owner.
Upon releasing the the results of the study this week, the data protection regulatory agency urged consumers to take better care of their data. It also released a list of ways individuals can securely delete personal information from old devices.
"Many people will presume that pressing the delete button on a computer file means that it is gone forever," U.K. Information Commissioner Christopher Graham in a statement. "However this information can easily be recovered,"
The ICO is the independent regulatory agency that oversees compliance with the U.K. Data Protection Act of 1998.
Their investigation found that 11% of used drives being resold contained residual personal information.
The agency last week also released the results of a survey that found 65% of people pass on their old phones, computers and laptops to other users -- 44% give equipment away for free while around one in five (21%) sell the hardware.
Sales of personal devices is more popular among young people, as the survey found that 31% of 18 to 24-year-olds sell their old mobile phones, computers or laptops to somebody else.
The ICO survey also found that an alarming number of people -- one in 10 -- have disposed of a mobile phone, computer or laptop without deleting their personal information.
Studies of U.S. users has found similar results.
For instance, about three years ago a New York computer forensics firm found that 40% of the hard disk drives purchased in bulk orders on eBay contained personal information -- ranging from corporate financial data to Web-surfing histories to the downloads of a man with a foot fetish.
The forensics firm, Kessler International, followed its initial study with a second one about a year and a half ago that had roughly the same results.
"We weren't going after stuff on eBay that sellers said had been completely erased. We went after small-time resellers," said CEO Michael Kessler. "We found people's passwords, social security numbers."
During another study on used PDAs and Blackberry phones, Kessler International found "a treasure trove" of information including files with a list of passwords, bank account numbers, and business client lists, Kessler said.
"We could get into people's bank accounts with the information. One phone an insurance company's client list, including account numbers and loan application information," he said.
In December 2010, the ICO asked computer forensics company - NCC Group to search some 200 hard drives, 20 memory sticks and 10 mobile phones it had bought mainly from Internet auction sites and computer trade fairs.
The devices were then searched, initially without tools and then using forensic software available freely on the Internet.
The study found that 52% of the hard drives were unreadable or had been wiped of data, 48% contained some information and 11% contained personal data.
The amount of personal data found on the mobile phones and memory sticks was negligible, the report stated.
In all, the research found 34,000 files containing personal or corporate information on the devices. At least two of the hard drives contained enough information to enable the theft of the former owner's identity.
The residual documents included scanned bank statements, passports, information on previous driving offenses, and some medical details.
Four of the hard drives contained information about employees and clients of four organizations, including individuals' health and financial details.
"We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands," Graham said.
"Today's findings show that people are in danger of becoming a soft touch for online fraudsters simply because organizations and individuals are failing to ensure the secure deletion of the data held on their old storage devices."
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian, or subscribe to Lucas's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!