Old email addresses, thousands of credit card numbers, love letters, and even pornography: these are just some of the data that researchers have found left behind on devices for sale on the secondhand market.
These results are concerning for the National Association for Information Destruction (NAID), the international trade association for the secure information destruction industry. NAID’s mission is to help companies meet regulatory standards for data erasure set by the Department of Defense and the National Institute of Standards and Technology. CEO Bob Johnson told Quartz, that private data can be successfully removed from old devices but many resellers just don’t take the necessary precautions to delete it. E-waste that is not stripped of sensitive information can be an easy target for identity theft.
In a 2017 survey, one of the largest of its kind in recent years, the association looked at 258 mobile devices, tablets and computer drives and used only the most basic measures to try to extract data (pdf). They found that 40% of devices resold in “regular commerce channels” (think Amazon, eBay, and secondhand stores) contained personally identifiable information like tax details, usernames, passwords, company and personal data.
These findings have been replicated over and over in the last fourteen years by various researchers. It’s not just individuals who are lax about removing data, companies around the world are at fault as well. In a 2007 study researchers in Canada obtained 60 secondhand drives that had previously belonged to health care facilities. They were able to recover personal information from 65% of the drives. The data included, in the words of the researchers, “very sensitive mental health information on a large number of people.”
A 2006 study of 200 hard drives obtained in the UK by the British Telecommunication’s Security Research Center and Edith Cowan, 20% contained enough information for individuals to be identified, 15% contained information of a “personal nature” and 10% contained financial information on the organization or individual from which they had originated. One hard drive still contained data about the plans for a classified missile system designed and built by weapons manufacturer Lockheed Martin.
Even as far back as 2003, two MIT graduate students purchased 150 previously-owned hard drives from secondhand markets to see if there was still personally identifying information on them. Of the 150 hard drives, only 9 percent (pdf) had been properly cleared of their previous owners’ data. From the remaining drives the researchers were able to use computer forensic techniques to find old email addresses, credit card numbers, fax templates, love letters, and porn.
Johnson says, there are some cases where it might make more sense to destroy rather than resell old drives and devices, because it would require extreme effort to even attempt to retrieve data from the hard drive.
Meanwhile, there are more than 1200 U.S. companies with NAID membership who follow regulations for data erasure. So if you have sensitive information on an old hard drive or device, it may be worth your while to get it in the hands of a company that follows the federal standards for deleting data before reselling it.
According to Johnson, this simple act could have helped all of the consumers whose private data lives on in secondhand remnants: “Had they sent it to a qualified company to sanitize it, and that company knew what they were doing, you would not be able to get data off that drive. Even the NSA would not be able to get data off that drive.”