Credit: Jon Fingas
As an individual, you might have an old smartphone or tablet sitting around your house collecting dust. Before recycling it, you hire a company to wipe the drive clean of any personally identifiable information. With the storage on today’s smartphones, there could be credit card information sitting in the background.
You feel relieved as you pass off the device to be cleaned. A load off your shoulders, you have taken another item out of your house that was cluttering up the living room. Right? Well the device might be gone, but the data might still live on.
The National Association for Information Destruction (NAID) found such in a recent study that revealed 40 percent of the devices the group bought on secondhand markets had PII on them. NAID, which is an international watchdog trade and non-profit trade association for the secure destruction industry, conducting the study in the first quarter of this year.
NAID used CPR Tools data recovery services to investigate each device. The task was to perform basic data forensic transfer from working storage devices specifically using commercially available tools. In this study, the devices inspected were intended to be a representative view of what typical users own and thus discard: smartphones, tablets, and hard drives.
“As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data,” states CPR Tools CEO John Benkert. “Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.”
The devices can be found on the secondhand market, on sites such as eBay and Amazon. Organizations are required to destroy such information prior to disposal, any organization permitting undestroyed information to pass to an unauthorized person or organization is violating the law.
According to NAID, recycled IT equipment is supposed to go to a qualified service provider specializing in secure data destruction, and obtain legally binding assurance that the recycling is accepting that responsibility. Too often, the organization claims to be erasing the data but the contractual fine print (or terms and conditions) disavow any legal responsibility; instead, stating it is the responsibility of the individual to remove the data first.
“A 5-year-old with some free software off of the web could have done it,” Benkert said. No specialized hardware or physical repairs were made to any of the more than 250 devices.
PII recovered included credit card information, contact information, usernames and passwords, company and personal data, tax details, and more. While mobile phones had less recoverable PII at 13 percent, tablets were found with the highest amount at 50 percent. PII was found also found on 44 percent of hard drives.
Sign up for Computerworld eNewsletters.