Thursday, 19th September 2019

42% of used drives sold on eBay are holding sensitive data

15% contained personally identifiable information (PII), putting individuals at risk of becoming victims of cybercrime.

Blancco Technology Group has published the findings of a new report, which looks at residual data on used storage drives purchased on eBay, the world's largest online marketplace. Conducted in conjunction with partner, Ontrack, the study analyzed 159 drives purchased in the U.S., U.K., Germany and Finland. Sensitive data was discovered to be present on 42% of devices, with 15% containing personally identifiable information (PII). This included:

•A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial records

•University student papers and associated email addresses

•5GB of archived internal office email from a major travel company

•3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules and truck registrations

•University student papers and associated email addresses

•Company information from a music store, including 32,000 photos

•School data, including photos and documents with pupils’ names and grades

For every 20 drives, at least three had PII. Furthermore, each seller Blancco interacted with as part of the process stated that the proper data sanitization methods had been performed so that no data was left behind. This highlights a major concern that while sellers clearly recognize the importance of removing data, they are in fact, using methods which are inadequate.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data," said Fredrik Forslund, VP, cloud and data erasure, Blancco. "By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members. It is also clear that there is confusion around the right methods of data erasure, as each seller was under the impression that data had been permanently removed. It's critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime."

As part of the research, a range of used hard drives from leading brands, including Samsung, Dell, Seagate, HP, Hitachi were purchased at random. The only requirement was that the drives had not been wiped using Blancco products. They were analyzed in early 2019 by partner Ontrack using proprietary data recovery tools. Once the recovery exercises were complete, the drives were then sanitized by Blancco to ensure permanent removal of the data.

Findings reveal that 37% of respondents have reported an incident to the ICO in the past 12 months,...
Nearly one-third (32%) of IT group employees in SMBs and mid-market enterprises globally said their...
Two-thirds of enterprises are s.truggling to embed security in the enterprise-IT architecture
Ping Identity has published two new white papers from its CISO Advisory Council on securing customer...
While only a third say regulatory change triggers purchase of new technology.
Respondents identify people as biggest source of cyber threats, with Facebook and BA as most notable...
Research reveals that companies investing in the latest cyber security products and services are ris...
New levels of industry collaboration will protect and secure people, processes and technology.