8 min read

Sensitive Data Can Lurk on Second-hand Hard Drives

Graham Cluley

May 07, 2019

Sensitive Data Can Lurk on Second-hand Hard Drives

As budgets tighten it’s not uncommon for consumers and organisations alike to save a few pennies, and buy previously-used IT equipment and storage devices.

The canny purchaser will be careful to choose a supplier who confirms that the equipment is working “as-new”, and will often be given assurances that drives have been securely wiped before sale to ensure the new buyer can get up-and-running as quickly as possible.

But the sad truth is that many such hard disk drives (HDDs) and solid state drives (SSDs) may not have been as securely wiped as the sellers promise.

This isn’t just potentially annoying to new purchasers, but downright alarming to those who originally disposed of the devices, and were promised the devices would be wiped clean with no risk that personally identifiable information (PII), intellectual property, or business-sensitive documents may have leaked out.

A recently-published study by the Blancco Technology Group underlines that such security and privacy concerns are well warranted.

Staff based at Blannco’s offices in the United States, United Kingdom, Germany and Finland purchased a total of 159 used SSDs and HDDs on eBay between September and October 2018, and then earlier this year asked data recovery experts at Ontrack to see what (if any) data they could recover from the supposedly wiped drives.

The data recovery specialists were specifically asked to hunt for the most sensitive data – PII – on the drives, all of which had been purchased from sellers who insisted that the devices they were selling had been securely wiped, with no data left behind.

What the experts discovered was alarming.  66 of the 159 drives (a staggering 41%) had some type of data found on them.  25 of the drives (15.7%) contained PII such as birth certificates, photographs, names, and email addresses – all of which could be exploited for the purposes of identity fraud.

Examples of the varied nature of data recovered from second-hand drives during the study included: 

  • A drive from a software developer with a high level of government security clearance that contained birth certificates, scanned passports, CVs, and financial records. 
  • Over 5GB of archived internal email conversations from a large travel company. 
  • Over 3GB worth of email from a cargo/freight company, alongside documents detailing shipping details, schedules and truck registrations. 
  • Company information from a music store, as well as 32,000 photos. 

On the remaining drives although no PII was discovered, system files were often found left behind.

Ironically many of the eBay sellers did believe that they had adequately wiped data, by formatting the drives – however that is not always sufficient to completely and permanently remove data.

This problem of second-hand hard drives containing sensitive data being sold on is not a new one.

For instance, in 2006, Idaho Power discovered that 84 drives it sent to a salvage vendor had ended up being sold to third-parties via eBay, without the data on the drives being scrubbed first.  The drives, which had been used in the power company’s servers, still contained confidential information such as memos, customer correspondence, and confidential information about staff.

The following year, a hard drive being offered “as new” on eBay was discovered to contain information from the Arkansas Democratic Party.  The computer technician who purchased the drive discovered that none of the data – which included the private cell phone numbers of Democratic members and their financial contributions - had been encrypted.

And just a couple of months ago, a researcher at security firm Rapid7 described how one of its staff had purchased scores of devices from businesses around his home in Wisconsin for a grand total of around $600, only to find a plethora of PII including email addresses, dates of birth, social security numbers, passport numbers, driving license details and credit card data.

“Out of the 85 devies I purchased, only two (the Dell laptop and Hitachi hard drive) were erased properly,” said Josh Frantz.  “Additionally, only three of the devices were encrypted.”

A disturbing statistic, and both the studies from Rapid7 and Blancco underline just how easy it was for someone to get their hands on sensitive data.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data,” according to Blancco’s Fredrik Forslund. “By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members. It is also clear that there is confusion around the right methods of data erasure, as each seller was under the impression that data had been permanently removed.”

Clearly individuals and companies are being careless in their disposal of hardware that might be carrying sensitive data.  And it seems to me that you cannot necessarily trust the person or organisation to whom you are donating or selling your technology to do the job properly.

For that reason it seems to me that it’s sensible to wipe your data yourself, rather than relying on someone else to do it for you.  That’s not to say that you shouldn’t *also* choose to give the hardware to someone who will often to securely erase data, but don’t necessarily trust them to do the job properly!

Simply doing a quick format of a drive is unlikely to be sufficient in many cases. 

Experts recommend the use of secure data erasure software that overwrites an entire drive with meaningless gobbledygook (random characters), sometimes multiple times to support recognised industry standards.

It’s also recommended to use full disk encryption software such as

Apple FileVault and Microsoft BitLocker, which secure an entire drive with a (hopefully) hard-to-guess password.  Users are prompted for a password at boot-up, and cannot access data stored on the drive until it is entered.  When you want to dispose of the device at a later date it should be possible to discard the encryption key, effectively making your files unrecoverable should the data not be wiped properly.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like