Between September and October 2018, Blancco’s information technology (IT) staff in the United States, Germany, Finland and the United Kingdom purchased more than 150 used data storage devices, including solid-state drives (SSDs) and hard disk drives (HDDs), on eBay. The company’s intention was to have the drives examined to see if they contained any sensitive personal information.
“In this study, we wanted to go to the most common marketplace,” says Fredrik Forslund, vice president of enterprise and cloud erasure solutions at Finland-based Blancco, which provides data erasure solutions for IT assets.
Drives from a wide range of brands, including Samsung, Hitachi and original equipment manufacturers (OEM), such as HP and Dell, were purchased.
Washington-based data recovery and data destruction firm Ontrack analyzed the drives in early 2019 using proprietary data recovery tools to see if any data, particularly personally identifiable information (PII), were left behind. Out of the 159 drives analyzed, data were found on 66 devices, with 25 of the drives containing PII, including photos, birth certificates, names, email addresses and more.
“Every time it happens, it’s a ticking bomb because it can be sensitive information,” Forslund says. “Just one drive in the wrong context with the wrong information can cause a huge scandal, and we’ve seen that over and over again over the last 20-plus years.”
Privacy for sale
Titled “Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace,” the study found that more than 15 percent of the drives tested contained PII that could be dangerous in the hands of identity thieves or hackers. For every 20 drives, at least three had PII.
For example, a drive from a software developer with high-level government security clearance had family birth certificates, scanned copies of family passports and financial records. Another group of drives used in a hospital contained data that allowed Ontrack to pinpoint the exact office in France where they worked, along with several car registrations from the company.
On the other drives containing data, system files often were left behind.
“We find so many drives with corporate information,” Forslund says. “I can see to some extent that private individuals or small offices would be more vulnerable for not understanding how data sanitization should happen, but we always find high levels of large enterprise data on drives that we test like this, and this is a little bit of a surprise in this day and age.”
Blancco has provided thousands of organizations with data erasure solutions to securely manage and decommission end-of-life electronics. The company says it has conducted studies on storage devices to raise awareness of the possible gaps in IT asset disposition (ITAD) processes.
“We’ve been growing up with the ITAD industry, and we’ve been servicing it for 20 years,” Forslund says. “For us, this is not the first time; but, the interesting part is that every time we do it, we always find a surprisingly high level of data on drives that haven’t been through a professional sanitization process.”
An increased focus on data protection and privacy legislation around the world, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which was signed into law in June 2018, also is driving the need for good ITAD and data overwriting processes.
According to the study, every seller Blancco purchased drives from insisted proper data sanitization methods had been followed. This demonstrates that sellers in the secondhand marketplace are attempting to permanently overwrite data; however, many are failing, Blancco says.
“There are still several organizations that have gaps in their processes and gaps in their knowledge around data sanitization,” Forslund speculates. “They may be processing part of their equipment with a professional and running their own internal processes, but they’re not able to cover everything.”
Forslund says the ITAD industry in general needs to be aware of recent technology changes. “There’s still a lot of people processing HDDs in one process and hoarding SSDs on-site at a data center because they still believe there’s no way to get data off an SSD drive,” he says. “That handling of loose drives is an unsecure way of trying to deal with the problem. Today, what’s important to realize is that HDDs and SSDs are being securely processed through the same software.”
He adds, “I think there’s policy work that needs to be done where there’s [a] requirement for that verification. Any professional ITAD player will be able to present that verification and audit trail to the customer. But there are some players in the industry that pick up the equipment, say it will be properly handled and in the end it isn’t, and things like this happen where sensitive information is available on eBay.”
“Every time it happens, it’s a ticking bomb because it can be sensitive information.” – Fredrik Forslund, vice president of enterprise and cloud erasure solutions, Blancco
Forslund says he believes that with more policy work, organizations will be required to provide certificates of verification that devices have gone through the correct and updated ITAD process “to ensure no data is left behind.”
A trend is developing in the tech industry to conduct software data sanitization processes in-house instead of outsourcing the services, Forslund says.
“I think the message for the future is that you should be able to have best practices in all different categories to complete for the long-term contracts,” he says. “You have to be able to do some services on-site and some of the services at your processing facility.”