Sensitive Data Available For Sale On eBay
Sensitive data has been found on 42% of hard drives purchased on eBay and analyzed by Ontrack for a Blancco Technology Group report.
The storage drives were purchased from eBay in the U.S., U.K., Germany and Finland. As well as the sensitive data, researchers also found personally identifiable information (PII) on 15% of the forensically analyzed drives.
Every eBay seller that the researchers interacted with insisted that proper data sanitization methods had been used to ensure no data was left on the drives before being offered for sale. The breadth of information that was recovered from these drives, however, suggests otherwise. One drive belonged to a software developer "with a high level of government security clearance" that still contained scanned images of family passports and birth certificates along with financial records. Other drives were found to have 5GB of archived internal office email from a major travel company, 3GB of data from a freight company including documents that detailed shipping schedules and truck registrations, university student papers and associated email addresses and school data that was comprised of photos and documents with pupil names and grades.
"Selling old hardware via an online marketplace might feel like a good option" Fredrik Forslund, vice-president of cloud and data erasure at Blancco, says, "but in reality it creates a serious risk of exposing dangerous levels of personal data." This risk is increased when the organizations disposing of these drives, and the companies selling them on eBay, are under the impression that all data has been securely erased as part of the hardware decommissioning process.
Historically, the best practice as far as wiping drives to preclude data leakage involved forensic tools that used high-powered magnets. However, that is of little use when Solid State Drives (SSDs) are involved as they employ integrated circuit assemblies as memory. In order to ensure certainty data cannot be recovered, physically destroying, or shredding, the drive is the answer.