You know how that data breach happened? Three words: eBay, hard drives
Social Security Numbers, financial data, CVs and more
Users are unwittingly selling sensitive and unencrypted data alongside their devices through the likes of eBay and Craigslist.
Secure data erasure firm Blancco Technology Group (BTG) purchased 200 second-hand hard disk drives and solid state drives before conducting a forensic analysis to find out what data was recoverable. Two-thirds (67 per cent) contained personally identifiable information and 11 per cent contained sensitive company information, it said. The data found includes social security numbers, CVs, company emails, CRM records, spreadsheets containing sales projections and product inventories.
Blancco experts found company emails on nine per cent of the drives, followed by spreadsheets containing sales projections and product inventories (five per cent) and CRM records (one per cent).
Two in five of the drives (36 per cent) showed evidence of an attempt to delete data (either by dragging files to the Recycle Bin or using the delete button). Such data is easily recovered as is, with a little more difficulty, data from drives that have been reformatted. Data erasure is needed to purge sensitive data from computer kit.
Out of the 200 used HDDs and SSDs, only 10 per cent had a secure data erasure method performed on them.
Paul Henry, IT security consultant for BTG, explained: “Users should not blindly trust that simply ‘deleting’ data will truly get rid of all of it for good. Remaining data can still be accessed and recovered unless the data is securely and permanently erased.”
The study - run during the first quarter of 2016 - underlines why the resale of used electronics without properly wiping data remains a common root cause of data breaches.
Blancco Technology Group chief exec Pat Clawson added resources and budgets are often allocated towards “tackling ‘scary’ data security threats, such as backdoor attacks, extortion hacks, malicious insider intrusions and malware” without considering less esoteric risks, such as offloading sensitive data through the sale of surplus kit.
“Investing in tools and methods to erase data from IT assets tends to sit low on their organisation’s list of IT security priorities,” Clawson said. “But as our study shows, the dangers are just as precarious when data isn’t securely and completely erased.”
Blancco has published the findings of its research in a paper titled The Leftovers: A Data Recovery Study. ®