A new report from Blancco Technology Group has warned that those looking to make some money by selling used storage drives may be putting themselves at risk of falling victim to cybercrime.
As detailed in Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace, Blancco, in conjunction with Ontrack, analyzed 159 leading brand drives purchased through auction site eBay in the US, UK, Germany and Finland, discovering that almost half (42%) still held sensitive data.
What’s more, 15% of the drives assessed were found to contain personally identifiable information (PII), despite sellers surveyed by Blancco as part of the research stating they had used proper data sanitization methods to ensure no data was left behind. This worrying finding suggests that although sellers recognize the need to remove any data before looking to sell-on a storage drive, the methods they are using are inadequate.
“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data,” said Fredrik Forslund, VP, cloud and data erasure, Blancco. “By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members.”
It is also clear that there is confusion around the right methods of data erasure, Forslund added, as each seller was under the impression that data had been permanently removed.
“It’s critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime.”
“Deleting data is notoriously difficult,” added Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.
“Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can't be plugged in easily. The data, however, persists.
“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace ‘three times,’ which feels a little like overkill to laypeople. It does matter, though, when the data you have is in trust from and for other people.”