42% of used SSDs and HDDs sold on eBay contain PII & enterprise data
14 May 2019
With a large number of organisations choosing to store vast amounts of enterprise and customer data on cloud databases rather than in hundreds of thousands of SSDs and HDDs, many of them are now disposing off used SSDs and HDDs to third-party retailers.
However, while most organisations take plenty of precautions to ensure that used SSDs (solid-state drives) and HDDs (hard disk drives) sold off to third parties do not contain personally identifiable information (PII) or business-sensitive documents, a new research has revealed that standard drive formatting tools do not completely wipe many of such devices and some residue always remains.
Between September and October last year, secure data erasure solutions provider Blancco tested over 150 used SSDs and HDDs purchased from eBay in the U.S., Germany, Finland, and the U.K. Upon detailed analysis using proprietary data recovery tools, Blancco found that out of 159 SSDs and HDDs, 66 of them still contained some type of data and 25 of them contained personally identifiable information (PII) such as photos, birth certificates, names, email addresses and more.
Simply formatting SSDs and HDDs can’t prevent data leaks
Considering that millions of used SSDs and HDDs are refurbished and sold again to new buyers at discounted rates on ecommerce platforms such as eBay, it is possible that organisations are unintentionally leaking personally identifiable information and business-sensitive documents to unintended recipients at an alarming rate.
In the 159 used drives that Blancco purchased from eBay stores and analysed, the firm found a lot of PII and other sensitive data that included over 5GB of archived internal office email from a large travel company, over 3GB of email from a cargo freight company, along with documents detailing shipping details, schedules and truck registrations, photos and Excel files from a religious group, and data from a school such as many pictures from kids’ activities, Microsoft Word and Microsoft Excel files with pupils’ names and grades.
The firm also found a drive from a software developer with a high level of government security
clearance (DV). The drive contained family birth certificates, scanned copies of family passports, CVs and financial records. Other drives contained company information from a music store that included 32,000 photos, 140 Microsoft Word and Excel files and plus photos from a school laboratory, and thousands of photos from a woman from Denmark, along with her name and her friends’ names.
Blancco noted that even though sellers of SSDs and HDDs make attempts to permanently wipe data from such drives before selling them to third parties, simply formatting them is not always enough for complete and permanent data removal. “The key issue with formatting is that there is no way to confirm that the data is gone. Verification and certification are key to ensuring data is permanently erased beyond recovery,” it said.
“For businesses, this level of residual data can be costly. Consider the potential of having 15 out of 100 decommissioned and resold servers leaving your campus with corporate data remaining. Or three out of every 20 drives sent for recycling with traces of business information. It’s not unlikely.
“The best method for securely erasing drives is a software-based random overwrite method. Individuals and organizations alike would be wise to understand the effectiveness of the varying data deletion/wiping methods and leverage solutions that protect the privacy of their families, customers and employees, as well as their business reputation,” the firm added.
How can firms permanently wipe all data from their used drives?
According to Warren Poschman, senior solution architect at comforte AG, organisations that need to offset the cost of new items by reselling their old drives need to implement an advanced security posture using well known techniques, starting with volume-level disk encryption and finishing with data-centric security, where the actual sensitive data is protected regardless of what disk it is stored on.
“These protective measures, in particular data-centric security, ensure that any orphaned data is unusable regardless of if the storage is properly zeroized or degaussed. Consumers should be taking advantage of OS-based disk encryption such as Windows BitLocker and Apple FileVault and consider storing documents on secure cloud-based resources where permissible,” he said.
According to Tim Mackey, senior technical evangelist at Synopsys, since SSDs don’t store data in magnetic form, and rewriting blocks of data can shorten the lifespan of some SSDs, new processes to protect data prior to disposal are required. If the drive in question supports the ATA SECURE_ERASE command, then that can be used to perform an effective factory reset on the drive.
“If sensitive data might be stored on the drive, it’s best to consider some form of full drive encryption model. For those situations where certainty is required that data can’t be recovered, the best solution is to physically destroy the drive – an option available from many data destruction vendors. Importantly, if the drive is slated for destruction, it’s important to obtain proof of destruction,” he added.