As an individual, you might have an old smartphone or tablet sitting around your house collecting dust. Before recycling it, you hire a company to wipe the drive clean of any personally identifiable information. With the storage on today’s smartphones, there could be credit card information sitting in the background.
You feel relieved as you pass off the device to be cleaned. A load off your shoulders, you have taken another item out of your house that was cluttering up the living room. Right? Well the device might be gone, but the data might still live on.
The National Association for Information Destruction (NAID) found such in a recent study that revealed 40 percent of the devices the group bought on secondhand markets had PII on them. NAID, which is an international watchdog trade and non-profit trade association for the secure destruction industry, conducting the study in the first quarter of this year.
NAID used CPR Tools data recovery services to investigate each device. The task was to perform basic data forensic transfer from working storage devices specifically using commercially available tools. In this study, the devices inspected were intended to be a representative view of what typical users own and thus discard: smartphones, tablets, and hard drives.
“As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data,” states CPR Tools CEO John Benkert. “Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.”
The devices can be found on the secondhand market, on sites such as eBay and Amazon. Organizations are required to destroy such information prior to disposal, any organization permitting undestroyed information to pass to an unauthorized person or organization is violating the law.
According to NAID, recycled IT equipment is supposed to go to a qualified service provider specializing in secure data destruction, and obtain legally binding assurance that the recycling is accepting that responsibility. Too often, the organization claims to be erasing the data but the contractual fine print (or terms and conditions) disavow any legal responsibility; instead, stating it is the responsibility of the individual to remove the data first.
CPR Tools CEO John Benkert
“A 5-year-old with some free software off of the web could have done it,” Benkert said. No specialized hardware or physical repairs were made to any of the more than 250 devices.
PII recovered included credit card information, contact information, usernames and passwords, company and personal data, tax details, and more. While mobile phones had less recoverable PII at 13 percent, tablets were found with the highest amount at 50 percent. PII was found also found on 44 percent of hard drives.
NAID reported it recovered the following PII data from the hard drives:
- Credit card information
- Names
- Addresses
- Photographs
- Videos
- Emails
- Usernames (files named users.doc etc)
- Passwords (files named passwords.txt etc)
- Company and Personal financial information
- Physical navigation history
- Internet navigation history
- Social media credentials
- Tax information
NAID recovered the following PII data on smartphones:
- Names
- Phone numbers
- Addresses
And the following PII data was recovered from the tablets NAID received:
- Credit card information
- Names
- Addresses
- Photographs
- Emails
- Usernames (files named users.doc etc)
- Passwords (files named passwords.txt etc)
- Physical navigation history
- Internet navigation history
- Social media credentials
Robert Johnson, NAID CEO, points out that while this study’s results show a decrease in data found compared to past studies, “NAID employed only basic measures to extract data – imagine if we had asked our forensics agency to actually dig!”
He goes on to surmise that “40 percent is horrifying when you consider the millions of devices that are out there.”
Johnson cautions that the results are not an indictment of reputable commercial services providing secure data erasure. “We know by the ongoing audits we conduct of NAID Certified service providers that when overwriting is properly done, it is a trustworthy and effective process. The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.”
NAID noted that there has been a history of criminals buying devices on the second-hand market for the sole purpose of gathering PII. One report of second-hand equipment being sent for processing to Nigeria was linked to an organized effort to mine the equipment.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.