A new global data security study from Blancco Technology Group and Kroll Ontrack found varying amounts and types of residual data on used mobile devices, hard disk drives and solid state drives purchased online from Amazon, eBay and Gazelle.com. Based on an examination of 122 pieces of second-hand equipment, 48 percent of the hard disk drives and solid state drives contained residual data, while thousands of leftover emails, call logs, texts/SMS/IMs, photos and videos were retrieved from 35 percent of the mobile devices.
Upon closer examination, it was discovered that a deletion attempt had been made on 57 percent of the mobile devices and 75 percent of the drives that contained residual data. Even more compelling was the discovery that those deletion attempts had been unsuccessful due to common, but unreliable methods used, leaving sensitive information exposed and potentially accessible to cyber criminals.
As Paul Henry, IT Security Consultant for Blancco Technology Group, explains: “Whether you’re an individual, a business or a government/state agency, failing to wipe information properly can have serious consequences. One of the more glaring discoveries from our study is that most people attempt in some way or another to delete their data from electronic equipment. But while those deletion methods are common and seem reliable, they aren’t always effective at removing data permanently and they don’t comply with regulatory standards. There’s no better example of this danger than the findings of a recent state audit, which found that 12 US state agencies responsible for handling taxes, programs for people with mental illness and driver’s licenses used inadequate methods to attempt to wipe information. The big lesson for both businesses and consumers is to understand which deletion methods are effective and comply with regulatory standards and, most importantly, to be cautious of blindly trusting that simply ‘deleting’ data will truly get rid of it for good.”
Another startling finding was that the residual data left on two of the second-hand mobile devices were significant enough to discern the original users’ identities. Whether it’s a person’s emails containing their contact information or media files involving a company’s intellectual property, lingering data can have serious consequences. Together, all of the study’s findings serve as a powerful warning about the importance of using effective data erasure methods and the need to mitigate security risks that may occur when done improperly or incompletely.
“Manually deleting data or simply logging out of a mobile device app does not erase data from the device,” explains Todd Johnson, vice president of Data Recovery Operations, Kroll Ontrack. “Deleting data simply hinders the ability for the mobile device to locate the data – the actual data still remains and can be recovered. In the case of hard drives and solid state drives, formatting to securely delete data can lead to varying results as each operating system performs the action differently. To successfully delete data to a state where it cannot be recovered, one must completely overwrite the data using reputable deletion software.”
Additional findings from the study include:
- Basic file-deletion commands leave hard disk drive users with a false sense of security. On four of the drives containing residual data, or 11 percent, only a basic delete was performed, meaning that the user simply deleted the file or sent it to the recycle bin. This left 444,000 files exposed.
- ‘Quick format’ and reformatting are common, but unreliable, tactics to wipe personal information clean from old hard drives. Our analysis showed that ‘quick format’ had been performed on 61 percent of the drives with data still present.
- Data is difficult to delete and can easily resurface after mobile devices are resold. Fifty-seven percent of the mobile devices with residual data found on them had a deletion attempt made on them, which left 179 texts, 252 instant messages, 75 large photos and two SMS messages exposed.
- Leftover emails, text messages and instant messages can cause personal, financial and reputational damage to users and their employers. A total of 2,153 emails and 10,838 texts/SMS/instant messages were retrieved from the mobile devices analyzed.