Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

What do sexy selfies, search warrants, tax files have in common? They've all been found on resold USB sticks

You do know just dragging stuff to the delete folder doesn't wipe stuff, right? Apparently not

About two-thirds of USB memory sticks bought secondhand in the US and UK have recoverable and sometimes sensitive data, and in one-fifth of the devices studied, the past owner could be identified.

These results come this week from a study conducted by the University of Hertfordshire in the UK and commissioned by Comparitech, a consumer product comparison website.

The researchers purchased 200 USB drives, 100 in the US and 100 in the UK between January and May 2018, from eBay, secondhand shops and conventional auctions. In the US, at least, most sellers demonstrated awareness of the need to erase data – only a single drive showed no sign of an erasure attempt. In the UK, 19 showed no sign of attempted cleansing.

Troublingly, the material recovered was often fairly sensitive. There were nude images of a middle-aged man, along with contact details. There were legal documents like a search warrant and risk assessments. There were financial papers dating back years, along with personal data. There were also tax forms, wage slips and the like.

From the data found, 20 former device owners in the US and 22 in the UK could be identified. The researchers, however, did not make an effort to contact those individuals to alert them to their poor data hygiene.

Sixty-four people in the US and 47 in the UK tried to delete their data, but didn't actually manage it. Eight USB sticks in the US and 16 in the UK had been reformatted, but the data could be recovered "with minimal effort."

About the same percentage of people managed to wipe their data successfully, presumably with a data erasing tool – 18 in the US and 16 in the UK.

There were also several drives that could not be read at all – six in the US and one in the UK – as well as one USB stick in the UK that could not be read because it was encrypted with BitLocker.

It's not that people don't know data should be deleted when disposing of drives. Rather they don't know how to do so in a way that makes the data unrecoverable. People often believe that rituals like dragging files to the trash and selecting "Empty Trash" or one-pass reformatting of storage media actually erase files.

As anyone with even modest knowledge of IT security will tell you, that's just not the case. Data deletion requires rather a bit of effort, which is why US standard bod NIST has more than 60 pages of guidance on the subject.

USB stick study graph

"This study would indicate that while in the US, some effort had been made to remove the data from the USB memory sticks in 99 per cent of the cases, in the UK this figure was only 81 per cent," the study says. "This would indicate a higher level of awareness in the US to the potential issues."

Despite this people in the US were no more likely to delete data successfully than those disposing of drives in the UK.

Computer makers could help matters by relabelling the "Empty Trash" menu to something more accurate like "Sweep Files Under the Rug" but computer users ultimately have to look after their own interests.

In an email to The Register, Paul Bischoff, editor of Comparitech, advised not cutting corners when erasing data. "If you're throwing it out, destroy it with a hammer or drill first," he said. "If you're selling it, use secure erasure software or a full, low-level format – not a 'quick' format – to completely remove remnant data." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like