A team of cyber security researchers recently extracted as many as 75,000 'highly sensitive' documents from a hundred second-hand USB drives that were being auctioned on eBay.
With a large number of organisations choosing to store vast amounts of enterprise and customer data on cloud databases rather than in hundreds of thousands of SSDs and HDDs, many of them are now selling off used USB drives, SSDs, and HDDs to third-party retailers.
However, what many organisations do not realise is that merely deleting files from USB drives using standard drive formatting tools is not enough to prevent sensitive company data or customer data from falling into the hands of third parties. Standard drive formatting tools do not completely wipe many of such devices and some residue always remains.
Last year, secure data erasure solutions provider Blancco tested over 150 used SSDs and HDDs purchased from eBay in the U.S., Germany, Finland, and the U.K. Upon detailed analysis using proprietary data recovery tools, Blancco found that out of 159 SSDs and HDDs, 66 of them still contained some type of data and 25 of them contained personally identifiable information (PII) such as photos, birth certificates, names, email addresses and more.
In the 159 used drives that Blancco purchased from eBay stores and analysed, the firm found a lot of PII and other sensitive data that included over 5GB of archived internal office email from a large travel company, over 3GB of email from a cargo freight company, along with documents detailing shipping details, schedules and truck registrations, photos and Excel files from a religious group, and data from a school such as many pictures from kids’ activities, Microsoft Word and Microsoft Excel files with pupils’ names and grades.
The firm also found a drive from a software developer with a high level of government security
clearance (DV). The drive contained family birth certificates, scanned copies of family passports, CVs and financial records. Other drives contained company information from a music store that included 32,000 photos, 140 Microsoft Word and Excel files and plus photos from a school laboratory, and thousands of photos from a woman from Denmark, along with her name and her friends’ names.
Blancco noted that even though sellers of SSDs and HDDs make attempts to permanently wipe data from such drives before selling them to third parties, simply formatting them is not always enough for complete and permanent data removal. "The key issue with formatting is that there is no way to confirm that the data is gone. Verification and certification are key to ensuring data is permanently erased beyond recovery," it said.
"For businesses, this level of residual data can be costly. Consider the potential of having 15 out of 100 decommissioned and resold servers leaving your campus with corporate data remaining. Or three out of every 20 drives sent for recycling with traces of business information. It’s not unlikely.
"The best method for securely erasing drives is a software-based random overwrite method. Individuals and organisations alike would be wise to understand the effectiveness of the varying data deletion/wiping methods and leverage solutions that protect the privacy of their families, customers and employees, as well as their business reputation," the firm added.
Recently, a team of cyber security experts at the University of Aberlay purchased a hundred second-hand USB drives from eBay and were able to extract as many as 75,000 'highly sensitive' documents from 68 drives that had not been properly wiped.
The team used a USB Write Blocker, a publicly-available tool used to extract data from devices, to check if the second-hand USB drives contained any data that could be accessed and ultimately extracted a wealth of information that included bank statements, passwords, and health records.
The team noted that only 32 out of the 100 USB drives had been properly wiped and the rest of them leaked data records even though files stored in them were manually deleted. According to the researchers, the data included "CVs, Personal statements, Employment contracts, Time sheets; Data relating to apprenticeship trainees; Invoice records; Divorce information, Bank statements, Health records, and saved web pages."
"This is extremely concerning, and the potential for this information to be misused with extremely serious consequences is enormous. An unscrupulous buyer could feasibly use recovered files to access sellers' accounts if the passwords are still valid, or even try the passwords on the person's other accounts given that password re-use is so widespread," said Professor Karen Renaud from Abertay's Division of Cybersecurity.
According to Warren Poschman, senior solution architect at comforte AG, organisations that need to offset the cost of new items by reselling their old drives need to implement an advanced security posture using well known techniques, starting with volume-level disk encryption and finishing with data-centric security, where the actual sensitive data is protected regardless of what disk it is stored on.
"These protective measures, in particular data-centric security, ensure that any orphaned data is unusable regardless of if the storage is properly zeroized or degaussed. Consumers should be taking advantage of OS-based disk encryption such as Windows BitLocker and Apple FileVault and consider storing documents on secure cloud-based resources where permissible," he said.