Two-thirds of used disc drives on Craigslist and eBay contain sensitive data

A padlock on a motherboard surrounded by keys

Two in three used hard drives sold on Craigslist and eBay could contain sensitive corporate information or data that identify the former owner, according to a new study.

From a haul of 200 randomly bought hard drives listed on Craigslist and eBay, Blancco Technology Group found that around 67 per cent of the used drives contained personally identifiable information and 11 per cent held sensitive corporate data, including company emails, CRM records and spreadsheets containing sales projections and product inventories.

The company said its findings show how "easy, common and dangerous" it was when businesses buy back and/or resell used electronics without properly wiping all data from them. It said that firms failing to wipe drive drives clean before they are resold, repurposed or recycled can cause irreparable damage to customer loyalty, brand reputation and sales, both near-term and long-term.

On 36 per cent of the used HDDs and SSDs containing residual data, users previously attempted to wipe the drives clean by dragging files to the Recycle Bin or using the delete button. A quick format was performed on nearly half (40 per cent) of the used drives with residual data found on them.

Out of the 200 used drives, only 10 per cent had a secure data erasure method performed on them, according to the research.

"With the Ashley Madison hack, in particular, users who wanted to make sure all of their data was erased from the dating site put all of their trust into the site's $20 'Full Delete' program," said Paul Henry, IT security consultant at Blancco Technology Group.

"Even though the obvious identifiers had been removed, enough information was left to expose the site's users. The big lesson for Ashley Madison and any other type of business should be to test that your deletion methods are adequate and to not blindly trust that simply 'deleting' data will truly get rid of all of it for good. Remaining data can still be accessed and recovered unless the data is securely and permanently erased," he added.