You would think that, with computers dominating every aspect of our lives, people would be aware that storage devices can retain information even after clicking "Empty Recycle Bin".
Not so, according to research by Finnish data removal specialist Blancco. The company purchased 159 random used drives on eBay in the US and Europe, and found that 42 per cent (or 67 devices) enabled anyone with basic IT literacy to access the data stored by their previous owners. A whopping 15 per cent contained personally identifiable information that could be used by cyber criminals.
Even more shocking are the contents of some of the drives. One, evidently belonging to a software developer with a high level of government security clearance (who really should have known better), contained scanned images of family passports and birth certificates, CVs and financial records. Another had 5GB of archived internal office email from a major travel company.
There was a drive that stored 3GB of records from a freight company, along with documents detailing schedules and truck registrations, and a drive from a school, filled with photos and documents mentioning pupils' names and grades.
Here's the interesting bit: Blancco claims that each seller it interacted with as part of the process stated that the proper data sanitization methods had been performed. Reminder: Blancco flogs data-removal tech so please grab the necessary handfuls of salt required with these findings.
A close shave: How to destroy your hard drives without burning down the data centreREAD MORE
"Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data," said Fredrik Forslund, cloud and data erasure veep at Blancco.
"By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members. It is also clear that there is confusion around the right methods of data erasure, as each seller was under the impression that data had been permanently removed."
Awareness of data wiping techniques is growing, but slowly. Blancco conducted a similar experiment in 2016, when it purchased 200 used drives and was able to extract data from 67 per cent.
Deleting a file typically only removes references to the object from the filing system, so that the file or directory appears to disappear from view, but the actual information still remains on the disk to be overwritten later. Your mileage may vary, depending on your operating system and filing system.
The only reliable method of exorcising ghosts of information on a working drive is to overwrite it with new data, or a random mix of ones and zeroes. Or use an encrypted file system or drive and then throwaway or randomize the key.
If that sounds too complicated, nothing makes sure data is truly gone like taking a good old-fashioned angle grinder or industrial shredder to your storage device. Oh, there's also degaussing for hard drives and tape, if you own a device that can generate a strong magnetic field. Or melting it down.
If you're looking for an exotic solution for your supervillain lair, Chinese storage company MemxPro will sell you SSDs with a physical self-destruct button. ®