ICO reveals reality of undeleted data on second-hand devices

An investigation has revealed that one in ten second-hand hard drives may contain residual personal information.

The Information Commissioner's Office (ICO) survey of second-hand hard drives sold online also found that 65 per cent of British adults now hand on their old phones, computers and laptops to a different user, with 44 per cent giving it away to someone else at no cost and around one in five (21 per cent) selling it to some other person.

Forensics firm NCC Group sourced around 200 hard drives, 20 memory sticks and 10 cellphones, and searched them using forensics tools freely available on the web. In total 34,000 files containing personal or corporate information were faraway from the devices.

The devices were mainly bought online from internet auction sites and a few were sourced at computer trade fairs. The research found that, while 52 per cent of the hard drives investigated were unreadable or were wiped of knowledge, 48 per cent contained information, 11 per cent of which was personal data. The quantity of non-public data found at the cellphones and memory sticks was described as 'negligible'.

Information Commissioner, Christopher Graham, said: “It is vital that folk do everything they are able to to forestall their details from falling into the inaccurate hands. Today's findings show that individuals are in peril of changing into a soft touch for online fraudsters because organisations and everyone is failing to make sure the secure deletion of the information hung on their old storage devices.

“Many people will presume that pressing the delete button on a working laptop or computer file signifies that it can be gone forever. However this knowledge can easily be recovered.”

up sourced around 200 hard drives, 20 memory sticks and 10 cellphones, and searched them using forensics tools freely available on the web. In total 34,000 files containing personal or corporate information were faraway from the devices.

Paul Vlissidis, technical director at NCC Group, said he hoped this research can be a wakeup demand the individuals and organisations who think their responsibility and liability ends with the delete button.

He said: “This isn't a case of scaremongering, or using sophisticated techniques only available to very large organisations. We purposefully used simple, easily sourced forensics processes and tools to illustrate that any information we accessed can also easily be stolen by people of criminal intent. It's sobering to think that just about half the used devices that you can buy contain personal information up for grabs.

"Ultimately, there is a huge amount of knowledge being stored that's potentially damaging inside the wrong hands. To guard both personal and company data, you might want to that folk become better educated about securely wiping devices, that's what this research is meant to focus on.”

Ollie Hart, head of public sector UK & Ireland at Sophos, said: “This latest research another time underlies the necessity for better education around data protection.  It's hard to believe that we're still seeing the sort of breach, particularly on account that four of the hard drives came from organisations other than individuals and contained details about employees and clients, including health and monetary details.

“It's disappointing to look one more example of organisations either not caring, or not understanding their obligations.  Ultimately, it's the responsibility of organisations in order for the information they're entrusted with is stored responsibly, whether that be centrally or locally.  Everyone should ask themselves three simple questions: Where is my data?  Do i've a policy for storing data locally?  And feature I considered the impact on both my customer and business of storing this knowledge?”