A new report from Blancco Technology Group has warned that those looking to make some money by selling used storage drives may be putting themselves at risk of falling victim to cybercrime.
As detailed in Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace, Blancco, in conjunction with Ontrack, analysed 159 leading brand drives purchased through auction site eBay in the US, UK, Germany and Finland, discovering that almost half (42%) still held sensitive data.
Experts Comments:
Paul Bischoff, Privacy Advocate at Comparitech.com:
“Easy-to-use data recovery software is readily available online, often for free. While this software is targeted at users who have accidentally deleted files or cannot access data for some other reason, there’s nothing to stop criminals using the same methods of recovery.”
“Two studies we commissioned by the University of Hertfordshire show two-thirds of secondhand USB drives and SD cards still contain recoverable sensitive data from previous owners.”
“It’s relatively straightforward to wipe a USB drive, provided you use the right erasing or formatting software. The problem is that many people think they’ve wiped their drive by performing a delete or high-level format using their operating system’s built-in options, but in these cases, the data is usually recoverable.”
Warren Poschman, Senior Solution Architect at comforte AG:
“The second-hand market for used premium IT components such as traditional and SSD drives is hotter than ever – what is surprising is that even in 2019, not all organizations have basic procedures to safeguard their data. As a result, the second-hand market has become the 1990s version of dumpster diving before document shredding was en vogue. Organizations that need to offset the cost of new items by reselling their old drives need to implement an advanced security posture using well known techniques, starting with volume-level disk encryption and finishing with data-centric security, where the actual sensitive data is protected regardless of what disk it is stored on. These protective measures, in particular data-centric security, ensure that any orphaned data is unusable regardless of if the storage is properly zeroized or degaussed. Consumers should be taking advantage of OS-based disk encryption such as Windows BitLocker and Apple FileVault and consider storing documents on secure cloud-based resources where permissible.”
Aaron Zander, Head of IT at HackerOne:
“If you really want to sell a spinning disk drive I always recommend doing a 7-pass erase. If it’s an SSD and you have sensitive data on it, it is just better to destroy it.”
