People Too Often Fail to Properly Erase Personal Data in Used HDDs/SSDs – Kroll Ontrack

Putting personal information at risk

Kroll Ontrack, LLC carried out a security study that indicated we are putting our personal information at risk far too easily.
The data recovery company analyzed used drives to see if any traces of data remained after the previous owners sold them. Among the drives the company examined, traces of data were found on nearly half. Many of these innocent oversights allowed the new owners critical access into the previous owners' identity.
Despite user efforts to erase data, it can often be recovered if not done properly. This makes selling personal digital devices a matter of identity protection. The study involved an international scope, with a diverse array of countries taking part: the US, Germany, France, Italy, the AsiaPac region, Poland and the UK.
For the campaign, Kroll Ontrack purchased 64 drives from various sources over eBay (private sellers/consumers) and analyzed whether the used drives had been successfully wiped clean or still contained any traces of data. The study found that traces of data remained on 30 drives (47%), while the remaining 34 drives had been successfully cleaned (53%).

However, the likelihood of finding access to personal information was not the study's most concerning finding, but rather how sensitive that information often was. For the careless or uninformed user, selling personal data devices is little more than selling your identity.
 
The case of one drive epitomized the danger of identifying data traces. The drive had belonged to a company that used a service provider to erase and resell old drives. Despite that, the drive still contained a wealth of highly sensitive information, including user names, home addresses, phone numbers and credit card details. It contained an employee list of around 100 names that included information about work experience, job titles, phone numbers, language abilities, vacation dates and a 1MB offline address book.

The personal realm was not the only one affected, as work-related information also finds its way very often onto private devices. As such, business data extracted from the drives was also not in short supply. Six drives were found to contain critical business data such as CAD files, PDFs, jpegs, keys and passwords. Kroll Ontrack even found full online store set ups, configuration files and POS training videos in their scour of these six drives. A further five contained other work-related data: invoices and purchase orders, much of it including sensitive personal information

The best method to delete data is low-level formatting, which involves pattern filling drives at the lowest level. This method effectively resets drives back to the factory settings. Multiple overwrites provide additional security, especially when data erasure needs to meet specific legal overwrite standards. Professional products distinguish themselves by the following features: independent certifications, using internationally standard algorithms, detailed reporting and traceability of executed deletions.