Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Government Security Hardware

Study Finds 1 in 10 Used Hard Drives Contains Old Personal Data 111

Posted by samzenpus from the sharing-secrets dept.
Lucas123 writes "A newly published study by Britain's data protection regulatory agency found that more than one in 10 second-hand hard drives being sold online contain recoverable personal information from the original owner. "Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered," Britain's Information Commissioner, Christopher Graham, said in a statement. In all, the research found 34,000 files containing personal or corporate information were recovered from the devices. Along with the study, a survey revealed that 65% of people hand down their old PC, laptop and cell phones to others. One in ten of those people who disposed of their old devices, left all their data on them. The British government also offered new guidelines for ensuring devices are properly wiped of data."
This discussion has been archived. No new comments can be posted.

Study Finds 1 in 10 Used Hard Drives Contains Old Personal Data More

Study Finds 1 in 10 Used Hard Drives Contains Old Personal Data

Comments Filter:

  • Whoopdie-doo (Score:5, Insightful)

    by timeOday ( 582209 ) on Thursday April 26, 2012 @06:59PM (#39813851)
    Who is going to bother with a time-consuming forensic-analysis style attack with a 10% chance of success when you can break into some company and get thousands of credit card numbers and/or SSNs? Sheesh, if you want credit card numbers, just get a job at any restaurant as a waiter.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Thursday April 26, 2012 @07:02PM (#39813899)
      Comment removed based on user account deletion
      • But how many of the people that buy new HDD's to put in their computers know how to wipe them? I know a lot of people who can't even open the case, so the sample is going to be of more "Tech savvy" people.

        • Re: (Score:3)

          by CFD339 ( 795926 )

          How many Apple "Genii" (Genuses?) will bother to do a drive wipe? What about Geek Squad types? The red shirt guys (now there's a good name) in Staples? Even the ones who know -- will they wait the hour+ while the drive wipe happens?

          If I still did stuff like that for a living (thank FSM I don't and haven't in 20 years) I'd b pulling the drives as untouched as possible until I new the data transfer worked as well as possible. Then I'm done -- would I have the discipline to then waste and hour more wiping

      • I'd have guessed 9/10 would have data on them. Higher than that if you could real serious forensics and not just dripping the used drive in a reader.

      • Maybe 90% of people who sell their old drives before they stop working know how to properly wipe them... Do you sell your drives that still work?

    • Re: (Score:2)

      by agm ( 467017 )

      Sheesh, if you want credit card numbers, just get a job at any restaurant as a waiter.

      I don't understand this comment - I have never been to a restaurant where my credit card (or debit card) leaves my possession. And I always pay by either one of them. You actually give someone else your credit card and they then leave your sight with it?

      • Re: (Score:2)

        by Anonymous Coward

        Yes, you put the credit card in the payment book, then they take it away and run it. When they come back you sign the slip.

        • Re: (Score:3)

          by Anonymous Coward

          He also always does this (when he goes to a restaurant). And yet he also always never has it leave his sight. Hint: he doesn't leave his parent's basement; this is slashdot.

          • Re: (Score:3, Informative)

            by icebraining ( 1313345 )

            Or maybe (s)he lives in a country like mine, where GSM-connected portable card readers (with keypads for PINs) are ubiquitous? I know you're used to your broken payment systems, but you shouldn't assume everyone is.

          • Re: (Score:2)

            by agm ( 467017 )

            I have not been to a restaurant that does this, and I eat out a lot. I always pay on my way out, and I do this by inserting my card into the little machine and entering my details. My card never leaves my possession (and nor should it). You're not assuming I live where you do are you?

            • Re: (Score:2)

              by tbird81 ( 946205 )

              I'm from NZ. We tend to do what you do, pay at the door as we leave.

              When I've dined in the States I've felt obliged to leave the card in their little leather book thing. I think they do it that way to make tipping easier with cash. (You'd just add your tip, then round up, leaving the notes)

              Fortunately in NZ we don't have to tip, so the waiters don't help to make an artificial situation where your credit card is at risk of being stolen by restaurant staff.

        • Re: (Score:2)

          by rnturn ( 11092 )

          Not at McDonald's.

          (I don't consider that a ``restaurant'', though. I'm guessing the grandparent poster does.)

      • - I have never been to a restaurant where my credit card (or debit card) leaves my possession. And I always pay by either one of them. You actually give someone else your credit card and they then leave your sight with it?

        In the USA, yes. That's what normally happens.

        • Re: (Score:3)

          by agm ( 467017 )

          In the USA, yes. That's what normally happens.

          Damn, that's just asking for trouble. There's no way I would let anyone take my credit or debit card out of my sight. The majority of times I do the actual inserting of the card into the machine before entering my pin - the retailer never get their hands on it.

          • Not so long ago, it was like how he's describing it everywhere else in the world.

            As with any new technology, the more densely populated areas are the first to get it. Here in Ottawa, Canada, we've had the cellular and wireless card readers for years, and they're pretty much everywhere. Hell, even my pizza delivery guy has a cellular credit card reader. But if I get more than 100km from the city core, the chances of finding a wireless card reader drop off significantly. When you get out into the sticks, the

            • I live in Phoenix, AZ. Over 5 million in the metro area so we are not a rural area by any stretch yet wireless card readers are amazingly rare. When I ran my small business I tried to get a wireless card terminal, it was almost impossible. For some reason the banks had no problem with me having a normal wired terminal, yet they wanted all kinds of extra checks, deposits, and payments for a wireless one. It was nuts.

      • Re: (Score:2)

        by drsmithy ( 35869 )

        I don't understand this comment - I have never been to a restaurant where my credit card (or debit card) leaves my possession. And I always pay by either one of them. You actually give someone else your credit card and they then leave your sight with it?

        Yes. Completely normal in Australia [for restaurants that have table service].

        Also par for the course in other places I've lived and/or spent any significant amount of time - UK, Switzerland, France, USA.

    • Re: (Score:1)

      by Anonymous Coward

      how many card numbers do you think you can get working as a waiter before fraud detection homes in on you and sends your ass to felonyland?

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Thursday April 26, 2012 @10:30PM (#39816217)
      Comment removed based on user account deletion
      • If they weren't encrypted, you wouldn't even need that. Boot up Knoppix and mount the disks and have it at. I used to use Knoppix as a cheap version of Ghost and data recovery tool for years when I was doing helldesk.

      • Re: (Score:2)

        by mcgrew ( 92797 ) *

        Hell he called me once to bring out my truck because one of the local telecos were tossing their old towers when they upgraded. i got nearly 40 towers with nothing but the windows password between me and ALL their data.

        The Windows password doesn't protect shit. Just put a Linux install CD in, run it in the "test this out to see if you like it mode" and all those data are there for you to take.

        All the Windows pasword does is protect Microsoft.

  • Don't sell hard drives! (Score:1)

    by Anonymous Coward

    Take them out, smash it with a sledgehammer and toss the scraps.

    • I prefer the ballistic solution. The reflective coating makes them a little easier to follow with open sights...

  • Require vendors to accept HDDs back for wiping, the same way they are required to accept batteries back for recycling. When you are done with your PC you can take it back to where you bought it for secure erasure, or optionally they could just send you a CD (or why not just include it in the box) that wipes the HDD and maybe puts it back to factory settings.

  • And won't until this worrying trend of not including magnets in hard drives catches up to me.
    • You obviously have no idea how a harddrive works...

      • You obviously have no idea how a solid state drive works....

        • Comment removed based on user account deletion
          • Interesting but not really necessary for me. The point of my joke/ completely truthful comment is that I've never owned an SSD and I've never sold a HDD. I have owned several 10 gig etc worthless (to me) harddrives which I've, without exception, torn to bits to get at the magical rare earth toys they contained. Oh and word to the wise, wear eye protection when unwrapping your magnets, those platters can shatter.

          • Re: (Score:2)

            by allo ( 1728082 )

            you really trust the drive vendor not to fuck up / implement backdoors? They could just implement the wipe by storing in the controller firmware "return only 0s for blocks not written since 'secure erase'", so i.e. some TLA-Agency could still recover data by using another firmware.

          • Interesting reading, but what does it have to do with the presence or absence of magnets in an SSD? :)

            The OP commented that he was fine simply removing the magnets from hard drives, leaving them unusable (which isn't exactly true, because you can still read the information if it's on the platter and the platter hasn't been destroyed), and that this would continue to work until the trend of there not being magnets in hard drives (meaning SSD's) caught up with him. The person he replied to said that this clea

  • Anecdote (Score:5, Interesting)

    by PPH ( 736903 ) on Thursday April 26, 2012 @07:11PM (#39814019)

    A few years back, I happened to visit my dentist's office just after he had all of his workstations upgraded. By the medical/dental s/w maintenance vendor's technician. While the tech was standing there, I asked my dentist what he was going to do with all his old PC's. Donate them to a local school, he said. I asked if there was any patient data on them. He told me that the vendor's tech had reformatted the hard drives, so that wouldn't be a problem. I asked him (within earshot of that tech) if he had ever heard of the 'unformat' command. I then suggested that he have the vendor investigate DBAN [dban.org] before letting these machines off the property.

    I don't know who is responsible for the loss of patent data under HIPAA [wikipedia.org] regulations. But I'd hope that vendors specializing in medical IT support would.

    • A "quick" format does not erase the data on the drive. A full format would, however (the drawback being a quick format is extremely fast and does not scale in time based on the drive size).

      A full format should be enough to keep most people from recovering the data without cracking the drive open and examining the physical platters.

    • I don't know who is responsible for the loss of patent data under HIPAA [wikipedia.org] regulations

      Your dentist is. They can transfer or share that responsibility with the IT vendor through a business partner agreement, but there's no magic claim of "Oh, I thought the IT vendor would know what to do!"

      That said, pretty much nobody gets fined under HIPAA. The first fine wasn't that long ago:

      http://threatpost.com/en_us/blogs/hipaa-bares-its-teeth-43m-fine-privacy-violation-022311 [threatpost.com]

  • Only 1 in 10? (Score:4, Insightful)

    by hahn ( 101816 ) on Thursday April 26, 2012 @07:12PM (#39814037) Homepage
    I would venture to guess that most people don't realize that deleting a file doesn't completely wipe it. The bigger question is, how many people who buy or receive those second hand-drives are looking to recover the data, and what % of them would do something with it that would NOT be okay with the original owner. I'd like to think not that many. But then again, I wouldn't be surprised if there were scammers who look to buy cheap used drives to see if they can dig up some useful info on it. Seems to me that would be higher yield than trying to phish for it with spam, and easier than trying hack websites.

  • I don't go over handwritten documents with a fucking eraser to re-use the paper.

    Take a hammer (nearly everyone has one of those) and smash the hard disk to destroy the platters. Hard disks are cheap enough to be expendable if they have "classified" or confidential information on them.

    HIPAA should mandate drive destruction when the drive is no longer needed.

    • Re:Stop saving hard drives. They aren't valuable. (Score:4, Informative)

      by Gordonjcp ( 186804 ) on Thursday April 26, 2012 @07:35PM (#39814347) Homepage

      Taking a hammer to them is too much effort. A single pass of "dd if=/dev/zero of=/dev/sd" will utterly destroy all the data beyond any hope of recovery.

      • Let's say a typical drive is 100GB and writes at 100MB/s. That will average over 15 minutes to write zeros to every sector on the drive. The destructive throughput of a hammer is pretty fast compared to that.

        • Bonus benefit, free neodymium super-magnets to amaze your friends! If it's a platter device, anyway.

        • Yeah, but you actually have to *do* it, as opposed to typing a single command and then going and doing something more fun for 15 minutes.

          And at the end of it, you've got a working totally blank hard disk, or it shows up incipient failing sectors.

        • Re: (Score:2)

          by 1u3hr ( 530656 )

          Let's say a typical drive is 100GB and writes at 100MB/s. That will average over 15 minutes to write zeros to every sector on the drive. The destructive throughput of a hammer is pretty fast compared to that.

          Depends whether you value you own time more than the computer's.

          It's a lot more time and effort to open the case and take out the drive, get a hammer, get a bag or something to wrap the drive in, dispose of the pieces of the drive, close the case, put the hammer back in the shed, than to insert a nuke boot CD and do something useful while it chugs away.

      • More people own hammers than know Unix.

        The problem is not a geek problem.

      • Taking a hammer to them is too much effort. A single pass of "dd if=/dev/zero of=/dev/sd" will utterly destroy all the data beyond any hope of recovery.

        This does not cover the case though of the hard drive being taken out of service due to flaky behavior developing with age. In that case you cannot assume that the drive ill erase itself properly (or at all if is fails out right). Now such a drive is not likely to be ever resold or reused, and it might require a malefactor to actually fix the drive in some way before recovering data from it, but the platter is still readable and a security risk.

        Besides whacking with a hammer is fun. Get a big hammer! (But w

      • For the average Joe, yes. But writing zeroes introduces a pattern, and high-tech equipment can pick up "leakage". Better to use if=/dev/urandom instead.

        Still not enough to protect you from industrial tools, but enough to protect you from Joe Hacker who also has access to dd.

        • No, there is no "leakage" to speak of, and no way to separate out the old data that may have left residue. Once a bit is overwritten, it's *gone*.

          No, the NSA do not have a big magic machine that can do it.

          • Re: (Score:2)

            by swalve ( 1980968 )
            I think that was theoretically possible on older drives (like the old MFM drives and maybe old mainframe drives), but certainly not any more. And even if they did, they wouldn't tell anyone. They would just use it to quietly gather information from unsuspecting targets, and then "git" them through some other method.

            • Exactly - old drives actually did use 0-to-1 and 1-to-0 transitions to mark bits. Modern drives use a technique more like QAM to pack many bits into a transition. Once it's gone, there's no picking apart a residual signal from what's there.

  • It's not all bad (Score:5, Funny)

    by Lord_of_the_nerf ( 895604 ) on Thursday April 26, 2012 @07:35PM (#39814343)
    I uncovered porn and tons of what's now 'abandonware'. Thanks, 16-year old boy from 1996 (I assume)!

  • 1 in 10? (Score:1)

    by Anonymous Coward

    Wouldn't it have been quicker to say 50%?

  • I always smash my old drives with a hammer (Score:3)

    by FudRucker ( 866063 ) on Thursday April 26, 2012 @07:49PM (#39814483)
    and then bury them in the back yard and water em real good with a water hose, by the time somebody finds those they'll be as rusty as a pre WW2 jalopy

    • I harvest the sweet, sweet magnets and scatter them in handy spots around my shop.

      If you slide a couple of magnets inside a Zippo between the wadding and the inner case, your lighter will stick to your tool box, cabinet, etc.

      Don't pry the magnets off their keepers as they are brittle. Heat them slightly over a stove or lighter and the glue will loosen whereupon you can slide them off.

  • Only? (Score:5, Interesting)

    by Internetuser1248 ( 1787630 ) on Thursday April 26, 2012 @08:08PM (#39814687)
    Every 2nd hand hard disk I have ever acquired has had personal data on it. None of the previous owners had even attempted to delete the data all the filesystem pointers were intact. On the other hand none of them ever had any useful data on them, unless I wanted to embarrass the previous owner by sending their porn collection to their wife/parents.

    • to embarrass the previous owner by sending their porn collection to their wife/parents.

      Found some porn once on old harddrive it looked like his wife, the joke was on me.

  • My company donates quite a bit of good used computer equipment every year, but I am very careful to remove all drives and reformat them. With a drill bit.

    • My idea of a thorough reformatting tool is thermite.

      • Re: (Score:2)

        by mcgrew ( 92797 ) *

        Saltpeter and sugar will do the job more safely and just as effectively. It'll burn damned near anything, you can even burn a hole in a cinderblock with it.

  • A fool proof method (Score:3)

    by dark grep ( 766587 ) on Friday April 27, 2012 @02:58AM (#39817655)

    A few years ago I resigned from a company on less than perfect terms. They took the laptop I had been using and sent it for forensic analysis (for some paranoid reason I can only guess). Anyway, the day before I left I had reformatted the drive and loaded Ubuntu to replace the Windows 2000 OS that was on there.

    The report from the (so called) forensic lab was that I had 'used powerful encryption to hide the contents of the hard drive'. Hell, I didn't even use a proper overwrite format, just the fast format option.

    So there you go. Either a 10 minute Linux install will beat a professional forensic investigation, or it's proof against fools. I favor the latter.

  • Some dodgy retailers in Australia have been re-shrink-wrapping used hard disks and selling them as new again.

    Typically this seems to be with resellers that offer a 7-day money back no-quibble guarantee.

  • My files don't have any buttons. Should I be worried?

  • I bought a USB drive from PC World last year. Sold as new. Got it home, found that my Windows PC wouldn't recognise the file system - it was formatted, and I could see the hardware, but the drive wasn't showing up. Out of curiosity I hooked it up to a Linux machine and had a nose. Turns out it was HFS formatted. Not only that but it had someone's time machine backup on it.

    So not only was the drive - probably illegally - sold as new when it was, in fact, second hand, but PC World hadn't even done a basic for

    • Re: (Score:2)

      by bonehead ( 6382 )

      Heh...

      Just yesterday I had to return a 1TB external drive to Best Buy that actually contained somebody's old 80GB drive in the enclosure.

      As if I wasn't pissed off enough at the hassle, and the fact that I believed I was buying a new drive and not a return, I also had to argue for 20 minutes and call in a store manager because they accused ME of being the one who made the swap.

      People are bastards.

  • This is why I keep a small quantity of thermite handy. The only proper disposal for my hard drives is complete and utter destruction.

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close