ICO reveals reality of undeleted data on second hand storage

An investigation has revealed that one in ten second-hand hard drives may contain residual personal information.

The Information Commissioner's Office (ICO) survey of second-hand hard drives sold online also found that 65 per cent of British adults now hand on their old phones, computers and laptops to a different user, with 44 per cent giving it away to someone else at no cost and around one in five (21 per cent) selling it to someone else.

Forensics firm NCC Group sourced around 200 hard drives, 20 memory sticks and 10 cell phones, and searched them using forensics tools freely available on the web. In total 34,000 files containing personal or corporate information were far from the devices.

The devices were mainly bought online from internet auction sites and a few were sourced at computer trade fairs. The research found that, while 52 per cent of the hard drives investigated were unreadable or have been wiped of information, 48 per cent contained information, 11 per cent of which was personal data. The quantity of non-public data found at the cellphones and memory sticks was described as 'negligible'.

Information Commissioner, Christopher Graham, said: “It is necessary that folk do everything they could to forestall their details from falling into the inaccurate hands. Today's findings show that folk are at risk of changing into a soft touch for online fraudsters because organisations and people are failing to make sure the secure deletion of the info hung on their old storage devices.

“Many people will presume that pressing the delete button on a pc file signifies that it's gone forever. However this data can easily be recovered.”

up sourced around 200 hard drives, 20 memory sticks and 10 cellphones, and searched them using forensics tools freely available on the web. In total 34,000 files containing personal or corporate information were faraway from the devices.

Paul Vlissidis, technical director at NCC Group, said he hoped this research should be a wakeup demand the individuals and organisations who think their responsibility and liability ends with the delete button.

He said: “This isn't a case of scaremongering, or using sophisticated techniques only available to huge organisations. We purposefully used simple, easily sourced forensics processes and tools to illustrate that any information we accessed can also easily be stolen by people of criminal intent. It's sobering to think that just about half the used devices that you can purchase contain personal information up for grabs.

"Ultimately, there is a huge amount of knowledge being stored which is potentially damaging within the wrong hands. To guard both personal and company data, it's worthwhile to that folks become better educated about securely wiping devices, that is what this research is meant to focus on.”

Ollie Hart, head of public sector UK & Ireland at Sophos, said: “This latest research once more underlies the desire for better education around data protection.  It's hard to believe that we're still seeing such a breach, particularly given that four of the hard drives came from organisations instead of individuals and contained details about employees and clients, including health and fiscal details.

“It's disappointing to peer one other example of organisations either not caring, or not understanding their obligations.  Ultimately, it's the responsibility of organisations making sure that the info they're entrusted with is stored responsibly, whether that be centrally or locally.  Everyone should ask themselves three simple questions: Where is my data?  Do I even have a policy for storing data locally?  And feature I considered the impact on both my customer and business of storing this knowledge?”