What are you (still) leaving on your hard drive?
New report shows many people are giving away their personal information when selling their computers online.
The letter was far from genteel. It was long and bristling and angry, revealing a bitter and potentially humiliating rift in one of the most prominent family businesses in Portland, Oregon. And the company gave it away—by mistake—on an old hard drive it sold off for cheap.
Luckily, I was the one who bought it, as an investigative reporter working on a story about the risks of selling off your computer without erasing the data on your hard drive. I returned the device to the company for full clean-up.
That was 15 years ago—but it turns out people and companies are still making the same blunders today, leaving potentially embarrassing and sensitive information hanging out for anyone to see.
Researchers with Blancco Technology Group bought 200 second-hand drives on eBay and craigslist at the beginning of this year and tested them for leftover data. The company’s report said two-thirds of the used hard drives gave up personal information. In many cases, the owners had tried various unsuccessful ways of deleting the data before selling.
“I was more saddened than surprised by our study’s findings,” said Blancco’s IT security consultant, Paul Henry, in a post. “Most people—and even businesses—mistakenly use these inadequate methods thinking their information is gone. But it’s not. The data can still be accessed and recovered.”
In another case, I showed up at a Portland man’s door with his old hard drive in hand. He was surprised to see it. But he had left his banking and personal information on the drive, more than enough for me to track him down.
The new report shows the same kind of not-so-hidden data on used drives—Social Security numbers, financial data and more. Also, one out of ten drives held “sensitive corporate information,” according to Blancco, like company e-mails, spreadsheets with sales projections and product inventories, and customer information.
Why would people and companies leave their data behind?
“They may think, ‘Maybe our data’s not important. Who would want our data? How could this be valuable?’” said Patrick C. Miller with Archer Security Group.
But that kind of thinking is risky, he said.
“Really, any data is worth money. Just because you can’t think of a way to use it against you doesn’t mean hackers can’t,” he said.
Tried to delete
More than a third of the hard drives with personal data showed that the owner tried to delete data by dragging files to the recycle bin or using the basic delete button, the report said.
“Standard deleting techniques don’t really remove the data,” said Miller. “They just remove the pointers to the data.”
That’s not a challenge for someone who really wants your information—and knows that a lot of people leave a data buffet on their used devices.
“There are lots of tools—free tools, easy to use tools—out there that can get that data without the pointers,” Miller said.
Many of the used drive owners went a step further—they did a “quick format” on their drives, perhaps with the hope that it would make their info inaccessible, according to Blancco. Once again, it left the info vulnerable. The report said 40% of the drives with leftover data had been quick formatted.
Formatting the drive doesn’t always erase the data, Blancco said in its report.
“I think people don’t realize that their data is very, very easy to recover,” Miller said. “They think that deleting it gets rid of it, and erasing drives take a little bit too much time. It’s not hard to do. I think people underestimate how easy it is to get the information off of their drive.”
Used phones can fetch a high price online. But another report last year showed similar problems. Out of 20 used mobile devices in a Blancco and Kroll Ontrack study, a third had leftover data, including thousands of e-mails and text messages.
Out of those mobile devices with “residual” information, more than half showed signs that the owners had tried to delete data.
“Manually deleting data or simply logging out of a mobile device app does not erase data from the device,” said Paul Le Messier with Kroll Ontrack in a statement. “Deleting data simply hinders the ability for the mobile device to locate the data—the actual data still remains and can be recovered.”
“Factory reset—a heavily relied upon deletion method—has been proven effective in some cases but not in others,” the report said.
The solution is erasing—writing over all of the data—rather than simply deleting.
Blancco sells software to get the job done. But you have other options, too, according to cybersecurity experts.
“You need to overwrite the data on the drive so your data is not there anymore,” said Miller. “That’s with tools like ‘Darik’s Boot and Nuke,’ colloquially known as DBAN.”
DBAN is free and available at DBAN.org, he said.
“DBAN is free erasure software designed for the personal user,” the site says. “It automatically deletes the contents of any hard disk that it can detect. This method prevents identity theft before recycling a computer.”
For businesses, the DBAN site recommends Blancco products.
“Business Users: Secure data erasure with audit-ready reporting is highly recommended. Please download a free evaluation license of Blancco 5 or buy licenses online,” the site says.
Apple explains how Mac users can erase their drives with the ‘Disk Utility.‘
Windows 8 and 10 users can use the ‘Fully Clean The Drive’ option in ‘Reset your PC,’ according to Digital Trends.
You can learn about using Eraser and Roadkil’s Disk Wipe—and encrypting your data—from PC World.
Find a disk-wiping program that meet’s the Department of Defense’s Media Sanitization Guidelines—like DBAN or Eraser, advises Computerworld.
And if you want to physically destroy it, you can learn more from ZDNet.
Erase your phone
To protect your phone data from future hackers, Blancco and Kroll Ontrack recommend you erase it.
“For an Android device, use the device settings to encrypt the data and then perform a factory erase function,” the report said. “Any residual data will remain encrypted and unusable.”
In addition, the companies advise you to remove your micro SD card, if you have one.
“For an iOS device, use the iTunes restore function, making sure to restore back to the factory setting or use ‘Erase All Content and Settings’ from the iPhone menu,” the report said. “Both of these options delete the encryption key associated with the device rendering any remaining data (if any) unrecoverable.”
Some people use external SD cards with their phones. “To securely erase an external SD card—so that the data can never resurface—you first have to remove the SD card and insert it into a computer, which can correctly detect all of its sectors and run software to securely erase everything,” the report said.
Too much work?
To some, these steps may sound time-consuming or complicated. But they may be easier than dealing with the fallout of leaving personal information on your devices—hoping it is only an investigative report who shows up at your door, and not a crook with crime on his or her mind.
“People are not learning from others’ mistakes just yet,” said Miller.
“It’s like having unprotected sex,” he explained. “There’s no question that this is something that everybody knows—it’s just whether you are inclined to do it at the moment.”
And if you don’t?
“The risks are pretty great,” he said.