Second Hand Drives On eBay Still Hold Personal Data

Report reveals worryingly amounts of personal data still held on second hand drives for sale

Sensitive data has been found on a large number of second hand hard disk drives (HDDs) and solid state drives (SSDs) found on sale on eBay.

A free report from Blancco Technology Group, said that it had worked with Ontrack data recovery specialists to buy disk drives in the United States, UK, Germany and Finland.

And the results were concerning after sensitive data was found on 42 percent of hard drives purchased on eBay. Even worse, the researchers apparently found personally identifiable information (PII) on 15 percent of every drive.

Hard Disk Drive

Old data

Forbes reported that every eBay seller insisted that proper data sanitisation methods had been used to ensure no data was left on the drives before being offered for sale.

It also reported that one drive belonged to a software developer who had a “high level of government security clearance.”

That drive apparently still contained scanned images of family passports and birth certificates along with financial records.

Other drives were said to have 5GB of archived internal office email from a major travel company, 3GB of data from a freight company.

“Selling old hardware via an online marketplace might feel like a good option,” Fredrik Forslund, VP of cloud and data erasure at Blancco was quoted by Forbes as saying. “But in reality it creates a serious risk of exposing dangerous levels of personal data.”

Ongoing problem

And security experts agreed.

“The problem of sensitive data existing on hard drives available from resellers is a perennial problem with serious implications,” explained Tim Mackey, senior technical evangelist at Synopsys.

“For example, in August 2017 a ‘new in box’ hard drive purchased from eBay was found to contain information relating to the Arkansas Democratic party,” said Mackey. “The purchase of used computers also pose a similar issue as shown when a laptop bought on eBay was found to contain customer information for the Royal Bank of Scotland in 2008.”

“At the time, best practice to preclude data leakage when repurposing computers included wiping the drive using forensic tools potentially using high powered magnets,” said Mackey. “In the intervening decade since these reports, the usage of solid-state drive (SSD) technology for hard drives has boomed.”

“Since SSDs don’t store data in magnetic form, and rewriting blocks of data can shorten the lifespan of some SSDs, new processes to protect data prior to disposal are required,” he warned. “If sensitive data might be stored on the drive, it’s best to consider some form of full drive encryption model. For those situations where certainty is required that data can’t be recovered, the best solution is to physically destroy the drive – an option available from many data destruction vendors. Importantly, if the drive is slated for destruction, it’s important to obtain proof of destruction. After all, if it’s important enough to be destroyed, it’s worth the effort of confirming destruction.”

Triple rewrites

Another security expert agreed that this was an ongoing problem and that most people don’t know the best way to delete data.

“Deleting data is notoriously difficult,” said Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.”

“When you put that file in the trash, the data itself isn’t touched, just the information about it,” said Curry. “Even wiping tools often do a poor or partial job, and for a true forensics expert there are still traces and memory at the physical level of data. Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can’t be plugged in easily. The data, however, persists.”

“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace *three times*, which feels a little like overkill to lay people,” said Curry. “It does matter, though, when the data you have is in trust from and for other people.”

“Most hard drives are commodities, so the money you get for them is really not that significant,” Curry added. “If you’re selling systems individually, though, it rarely pays to rip it out for the customer, especially if the hard drives are old and necessary to run a system. As a company, you’re selling in bulk and that’s impractical too. Most importantly, the components in hard drives can harm the environment if not disposed of properly and have huge value to be reclaimed and re-used both for the environment and in the spirit of frugality with natural resources.”

“If you’re going to do this, set up a process as a company for it or go to a professional for wiping as an individual,” he concluded. “There’s definitely opportunity here for enterprising people who want to set up secure wiping services and to build this into recycling and operations processes in IT.”

Do you know all about security? Try our quiz!