Personal info abounds on used devices
by Colin Staub
e-End is both a NAID AAA and R2 certified Electronics Recycling company. e-End offers IT Asset Disposition solutions for your businesses and electronics recycling collection for individuals, companies, and organizations. We are committed to assuring our clients that the data on hard drives, cell phones and other electronic media, have been properly destroyed and cannot be recovered by any means.
A random sampling of second-hand electronics for sale around Wisconsin found significant amounts of data, including hundreds of pieces of personally identifiable information.
In a blog post on the site of cyber security firm Rapid7, company staffer Josh Frantz describes an experiment he carried out to gauge companies’ data erasure methods. Frantz, a senior security consultant at Rapid7, purchased 85 used devices, a mix of computers, removable storage devices, hard drives and cell phones, from 31 businesses near his home in Wisconsin. All told, the devices cost about $600.
Frantz took them home and ran data-extraction procedures on them. For computers, he wrote a script to run through and index all documents, pictures, saved emails and instant messenger conversation histories. The data was collected and placed on a USB drive. Similar extraction procedures were run on the hard drives, removable storage devices and cell phones.
“Many businesses do not follow through on their guarantee to wipe the data from the devices people hand over to them.”
The experiment found that only one laptop and one hard drive had been erased properly, out of the 85 devices. A significant amount of data remained on the devices. The experiment retrieved 214,019 images, 148,903 emails and 3,406 documents from the devices. And from those files, Frantz discovered 611 email addresses, 50 birth dates, 41 social security numbers, 19 credit card numbers, six driver’s license numbers and two passport numbers.
Frantz concluded that “many businesses do not follow through on their guarantee to wipe the data from the devices people hand over to them.” He didn’t disclose where he purchased the electronics.
“When donating or selling your technology, you should be sure to wipe it yourself rather than relying on the seller to do it for you,” he writes, adding that “even if you get it in writing that your data will be erased, there’s no good way to know whether that’s actually true unless you perform the wipe yourself.
“If this research was any indication, it likely isn’t being wiped in a reasonably secure way,” the report states.
The Wisconsin report, which was published last month and highlighted in the April newsletter from Wisconsin-based ITAD company Cascade Asset Management, is one of several recent examinations into data destruction practices. The National Association for Information Destruction (NAID) this month referenced an investigation looking at data erasure in India. That study, carried out by Stellar Data Recovery, found that out of 311 devices, more than 71 percent contained personally identifiable information.
“When donating or selling your technology, you should be sure to wipe it yourself rather than relying on the seller to do it for you.”
NAID wrote that the Stellar study “establishes the problem of improper data erasure is a global issue and that data protection in one region of the world poses challenges for data security everywhere.”
Proper data destruction has received greater attention in the e-scrap and ITAD world, as large-scale data breaches have grabbed headlines and forced awareness of the need for secure destruction. Data security laws have also become more prevalent, sometimes placing requirements on electronics recycling companies.