One in 10 secondhand hard drives in U.K. contain personal data

Computerworld - A study by the U.K. Information Commissioner's Office found that more than one in 10 secondhand hard drives sold or given away in Britain contains recoverable personal information of the original owner.

Upon releasing the the results of the study this week, the data protection regulatory agency urged consumers to take better care of their data. It also released a list of ways individuals can securely delete personal information from old devices.

"Many people will presume that pressing the delete button on a computer file means that it is gone forever," U.K. Information Commissioner Christopher Graham in a statement. "However this information can easily be recovered,"

The ICO is the independent regulatory agency that oversees compliance with the U.K. Data Protection Act of 1998.

Their investigation found that 11% of used drives being resold contained residual personal information.

The agency last week also released the results of a survey that found 65% of people pass on their old phones, computers and laptops to other users -- 44% give equipment away for free while around one in five (21%) sell the hardware.

Sales of personal devices is more popular among young people, as the survey found that 31% of 18 to 24-year-olds sell their old mobile phones, computers or laptops to somebody else.

The ICO survey also found that an alarming number of people -- one in 10 -- have disposed of a mobile phone, computer or laptop without deleting their personal information.

Studies of U.S. users has found similar results.

For instance, about three years ago a New York computer forensics firm found that 40% of the hard disk drives purchased in bulk orders on eBay contained personal information -- ranging from corporate financial data to Web-surfing histories to the downloads of a man with a foot fetish.

The forensics firm, Kessler International, followed its initial study with a second one about a year and a half ago that had roughly the same results.

"We weren't going after stuff on eBay that sellers said had been completely erased. We went after small-time resellers," said CEO Michael Kessler. "We found people's passwords, social security numbers."

During another study on used PDAs and Blackberry phones, Kessler International found "a treasure trove" of information including files with a list of passwords, bank account numbers, and business client lists, Kessler said.

"We could get into people's bank accounts with the information. One phone an insurance company's client list, including account numbers and loan application information," he said.

In December 2010, the ICO asked computer forensics company - NCC Group to search some 200 hard drives, 20 memory sticks and 10 mobile phones it had bought mainly from Internet auction sites and computer trade fairs.

The devices were then searched, initially without tools and then using forensic software available freely on the Internet.

The study found that 52% of the hard drives were unreadable or had been wiped of data, 48% contained some information and 11% contained personal data.

The amount of personal data found on the mobile phones and memory sticks was negligible, the report stated.

In all, the research found 34,000 files containing personal or corporate information on the devices. At least two of the hard drives contained enough information to enable the theft of the former owner's identity.

The residual documents included scanned bank statements, passports, information on previous driving offenses, and some medical details.

Four of the hard drives contained information about employees and clients of four organizations, including individuals' health and financial details.

"We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands," Graham said.

"Today's findings show that people are in danger of becoming a soft touch for online fraudsters simply because organizations and individuals are failing to ensure the secure deletion of the data held on their old storage devices."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian, or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.