Private information ***LIKE NEW***
Ever considered ‘recycling’ your computer without thoroughly wiping your hard drive first? Don’t. A recent study suggests that up to 40% of hard drives that end up on eBay and aren’t explicitly marked as erased may contain easily recoverable data from previous owners.
Experts at Kessler International purchased 100 hard drives from eBay over a six month period, and 40 of those hundred contained data that could be recovered either by using forensic software or by simply plugging in the drive. Financial information and emails composed over 50% of the data they discovered, but they also found identifying information for many of the hard drives’ previous owners. They even stumbled upon a juicy cache of information that fueled a previous owner’s foot fetish.
The article then provides a few examples of known incidents where private corporate data has shown up on hard drives sold on eBay.
This sort of thing happens because people don’t know what they’re doing. So: how can you prevent other people from recovering your data, should they happen to acquire one of your old hard drives? Well, there are two ways really. You could keep all of the hard drives you ever use. Or, before you send your old hard drives away, you could be sure to use a DoD-grade piece of software or hardware (the recommended techniques are overwriting and degaussing) to remove all of the evidence that you once had a thing for people popping bubble wrap with their teeth while covered in chocolate syrup. You could also use full-disk encryption, if you want to challenge those who would access your data. But really it’s best to just completely obfuscate and obliterate anything that was once there with that DoD-grade sanitizer.
No one but owners of the data can prevent unwanted data recovery, and only then by acting before it goes out into the free market. Ebay can’t do anything about it, nor should they. It isn’t eBay’s job to monitor all the used junk vendors sell that could harm the original owners if those owners didn’t take the necessary precautions. That said, I’m surprised that company data ends up as part of the information found. Companies really should know better, and should already be employing the preventative techniques above.
Wait, what am I saying? No they shouldn’t. I’m opening eBay even as I type this. Hmm, I wonder what the chances are of finding a pre-release version of the next big Adobe product on one of these.
Comment by Erik Turnquist
February 13, 2009 @ 8:05 pm
This issue does present a huge security risk. Owners of hard drives need to be made aware of the potential security issues. It seems like people often have a hard time realizing that not securely erasing their drives could result in a potential security risk. Something they might understand is the concept of giving away your hard drive with financial data is basically the same as putting your financial information in your garbage without shredding it. I do disagree with what you say about how eBay shouldn’t be responsible with informing its users. I think that it is eBay’s responsible to inform merchants that selling hard drive without being properly erased can have grave security consequences such as identity theft. By including even a simple warning it could greatly increase user awareness of the potential security issues.
Comment by eyezac
February 26, 2009 @ 8:29 pm
I agree that it’s a good idea for eBay to *warn* potential old-hard-drive-vendors, but monitoring?–no. I’m pretty sure that’s what Mr. Frung was arguing against. Any clues where one could find a DoD-grade disk sanitizer like that?
I’m assuming that most hard drives being sold on eBay are being sold because, while they may be obsolescent, or unwanted, they still work. What if a hard drive fails? Then does it become safe to throw it away? If not–if you can still read data off of a failed hard drive, then that would make me wonder 1) is it really broken? and if so, 2) how can you sanitize it if you can’t access it?
Comment by stemcel
February 27, 2009 @ 11:06 pm
Well you don’t really need a DoD-grade disk sanitizer, at least according to Craig Wright. The standard Unix tool
ddshould be enough to completely wipe the drive. Most tools that format (especially on Windows) default to a “quick format”that doesn’t really erase anything. It just builds replaces the index that lets you know where things are in the filesystem.There’s a standing offer called “The Great Zero Challenge” for anyone to recover data from a drive that’s been overwritten with zeroes just once. So far it’s been unclaimed.
See this Slashdot thread for a more detailed discussion of the topic and plenty of related humor. For a funny note, read this comment.