You know how that data breach happened? Three words: eBay, hard drives

Social Security Numbers, financial data, CVs and more


Users are unwittingly selling sensitive and unencrypted data alongside their devices through the likes of eBay and Craigslist.

Secure data erasure firm Blancco Technology Group (BTG) purchased 200 second-hand hard disk drives and solid state drives before conducting a forensic analysis to find out what data was recoverable. Two-thirds (67 per cent) contained personally identifiable information and 11 per cent contained sensitive company information, it said. The data found includes social security numbers, CVs, company emails, CRM records, spreadsheets containing sales projections and product inventories.

Blancco experts found company emails on nine per cent of the drives, followed by spreadsheets containing sales projections and product inventories (five per cent) and CRM records (one per cent).

Two in five of the drives (36 per cent) showed evidence of an attempt to delete data (either by dragging files to the Recycle Bin or using the delete button). Such data is easily recovered as is, with a little more difficulty, data from drives that have been reformatted. Data erasure is needed to purge sensitive data from computer kit.

Out of the 200 used HDDs and SSDs, only 10 per cent had a secure data erasure method performed on them.

Paul Henry, IT security consultant for BTG, explained: “Users should not blindly trust that simply ‘deleting’ data will truly get rid of all of it for good. Remaining data can still be accessed and recovered unless the data is securely and permanently erased.”

The study - run during the first quarter of 2016 - underlines why the resale of used electronics without properly wiping data remains a common root cause of data breaches.

Blancco Technology Group chief exec Pat Clawson added resources and budgets are often allocated towards “tackling ‘scary’ data security threats, such as backdoor attacks, extortion hacks, malicious insider intrusions and malware” without considering less esoteric risks, such as offloading sensitive data through the sale of surplus kit.

“Investing in tools and methods to erase data from IT assets tends to sit low on their organisation’s list of IT security priorities,” Clawson said. “But as our study shows, the dangers are just as precarious when data isn’t securely and completely erased.”

Blancco has published the findings of its research in a paper titled The Leftovers: A Data Recovery Study. ®

Similar topics

Broader topics


Other stories you might like

  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading

Biting the hand that feeds IT © 1998–2022