Have you resold your data to crooks?

Meet 'Ted,' 'Betty' and 'Bob' ... even if they don't want to meet you

Think that data on your discarded hard drive is as good as gone? There’s a good chance it’s not -- even if you reformatted it. That’s the finding from a recently released study by Fulcrum Inquiry LLP, a Los Angeles-based litigation consulting company that performs computer forensics.

Fulcrum Inquiry analyzed 70 used hard drives purchased from 14 different sources. The company was able to recover private data from 63% of the 60 drives that were still operational.

The results illustrate that companies and individuals alike still don’t know how to properly safeguard confidential material, despite well-publicized breaches to corporate data integrity and the need to protect personal information.

 "The study was mainly to take the pulse of what the market was doing," says Steve Peskaitis, computer forensic manager at Fulcrum Inquiry. "And quite honestly we were really surprised. We thought we wouldn’t find anything, but it was quite to the contrary."

Fulcrum Inquiry purchased and studied the drives in November, December and January. The company bought them off eBay and from computer show vendors, recyclers and stores that specialize in used computer equipment. Some drives came from individuals; others came from professional organizations, such as companies, state government, schools and hospitals, says Peskaitis, who declined to release the organizations’ names.

What they found

The information on the drives obtained ranged from ordinary items, such as vacation pictures and Web browsing details, to highly sensitive material such as Social Security numbers, bank account and credit card numbers, and confidential government documents.

Fulcrum Inquiry, in its release of the study findings, cited three examples as representative of what it was able to recover.

The first hard drive belonged to "Nurse Betty," who worked in a hospital pediatric ward. Fulcrum Inquiry was able to recover confidential medical records along with patients’ names, conditions, medications and doctors. The company notified the hospital about its findings and returned the drive; the hospital says it plans an investigation into why its own processes had failed to properly cleanse such information.

Another hard drive came from "Ted." He’s a project manager for a state agency, and his hard drive still contained thousands of government documents and communications, some of which were confidential. He had personal pictures and banking information on his hard drive, too, and some documents indicate that he appears to be moonlighting in a way that presents a conflict of interest with his government post -- not information anyone would want to let out. Peskaitis says the vendor selling Ted’s hard drive claimed it had been cleansed of all data.

In the third instance, Fulcrum Inquiry was able to learn from his used drive that "Bob" was unemployed and on disability. He spent time in jail and is now living in low-income housing. He has credit problems and is thousands of dollars in debt. His interests include playing a new guitar, body art, weight lifting and a fascination with a female celebrity. He stored pornographic pictures and videos on his hard drive, too.

As personal as all that is, other files could prove much more damaging to "Bob" because they include an image of his birth certificate, driver’s license and Social Security card -- enough to steal his identity. Peskaitis says "Bob" appeared to have formatted his hard drive before selling it, indicating that he didn’t want the information available.

Overall, Fulcrum Inquiry found that 37 drives (53%) contained recoverable information. Twenty-three drives (33%) had been properly wiped or cleaned, while 10 drives (14%) were nonoperational. The properly cleaned drives were either low-level formatted or wiped using special software that overwrites data, but all but four of the 37 drives with recoverable info had been formatted, presumably in an attempt to eliminate the data. Ebay proved the richest source of data-laden drives; every one of the operational drives purchased on eBay contained information that could be recovered.

Smaller or less expensive drives were more likely to contain recoverable information. Fulcrum Inquiry saw a recovery rate of 88% for smaller drives (80MB to 15GB), which ranged in price from 50 cents to $15 per drive. The recovery rate dropped significant for larger (15GB to 80GB) drives, which cost $15 to $26. Peskaitis says the difference between the drives indicates that businesses, which are more likely to use the larger drives, take data security more seriously and use more resources to sanitize the drives before they hit the secondary market.

How they did it

Peskaitis acknowledges that Fulcrum Inquiry used various software packages, as well as a specialized piece of hardware known as a write blocker to recover data from the drives. He says the cost of the software packages per workstation was about $5,000, while the cost of the write blocker was about $500 -- certainly within the reach of an enterprising would-be criminal who wanted to replicate Fulcrum Inquiry’s efforts.

The study also found that most of the drives purchased were supposedly cleansed of all data. "Every single purchase we made, we asked if they cleaned the hard drive. Almost all of them said they low-level formatted them," Peskaitis says.

But Peskaitis says most drives weren’t formatted properly. He also noted that several drives indicated that someone had started wiping them and then stopped before the wipe was complete.  

Several leading security experts weren’t surprised by the study. "It’s typical," says Simson L. Garfinkel, an associate professor at the Naval Postgraduate School in Monterey, Calif., and a fellow at Harvard University’s Center for Research on Computation and Society.

He points to several studies, including his own research that looked at more than 1,000 hard drives purchased on the secondary market in the past eight years, that similarly found sensitive data still residing on used drives.  

Sondra Schneider, CEO and founder of Security University, a computer security and information assurance training company in McLean, Va., says the problem persists for several reasons.

First, individual computer users, even those savvy enough to take out and resell their hard drives, often don’t know how to properly wipe the drives so that nothing remains, she says.

Meanwhile, many companies don’t spend the resources needed to develop strong asset management and e-waste disposal policies and processes to guarantee that drives are thoroughly cleansed either in-house or by reputable vendors.

Playing policy catch-up

"There’s a serious lag in terms of corporate culture catching up with computer security policies, because security is something that’s often thought of expendable," says George Davida, director at the Center for Cryptography, Computer and Network Security at the University of Wisconsin-Milwaukee.

John Spengler, senior operations manager at Intechra Inc., an IT asset disposition company in Jackson, Miss., says some companies just don’t understand the risk.

Some of Intechra’s clients bring in equipment without cleansing it because they believe the information on it isn’t critical. Others might use low-level formatting and erase select files, thinking those actions will take out all sensitive material.

"Some believe they did a good job at it, and they didn’t," Spengler says. "Even though they deem that there’s no critical information in there, it does open them up for risk."

The risk is very tangible, Peskaitis says. Companies that don’t properly cleanse their drives are essentially letting out their assets, sometimes in violation of privacy acts such as the federal Health Insurance Portability and Accountability Act (HIPAA). And in addition to being subject to fines, lawsuits and a public relations disaster, companies could face serious financial losses if their trade secrets or proprietary designs reached the wrong hands.

To properly dispose of data, Peskaitis says owners should low-level format the drive and then use wiping software designed to overwrite the information. He says owners can also use a company to dispose of the drive, although he and others recommend doing due diligence to ensure that the company delivers what it promises.

There’s one last option to consider, too: destroying the drive. Garfinkel says there’s a least one company that makes a device that will punch a hole through the drive, although at $10,000 it might be too pricey for some.

No worries. Garfinkel says a strong hammer blow to the drive will also do the trick.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon