MIT Researchers Uncover Mountains of Private Data on Discarded Computers
July 14, 2013
As Hard drives grow in storage and decrease in price daily companies and individuals ask what do I do with my old hard drives? If you wipe your (format, fdisk or delete) data, then donate or sell the drives, your data is not completely gone; the right tools in the wrong hands can easily restore your old data.
A recent two-year MIT study (See article below) found that more than half of hard drives collected had recoverable data. Even more alarming, a large number of those hard drives contained personal information, such as credit card numbers, medical records and personal data.
Businesses are responsible for more than just their own proprietary data and held to the highest standards when it comes to privacy. You can review some of the laws that physical destruction protects your business from on the Disposal Facts page of our website. Software programs stored on your computer are covered by licensing agreements; this makes it illegal to distribute this software. If these programs fall into the wrong hands, software manufacturers can enforce their rights, which could result in your company facing fines in excess of $100,000 per violation.
CAMBRIDGE, Mass.–Discarded computers, even those with “erased” disk drives, may harbor confidential information such as credit card numbers and medical records, two MIT graduate students found.
Scavenging through the data inadvertently left on 158 used disk drives, the students at MIT’s Laboratory for Computer Science found more than 5,000 credit card numbers, detailed personal and corporate financial records, numerous medical records, gigabytes of personal email and pornography.
The disk drives were purchased for less than $1,000 from eBay and other sources of used computer hardware. Only 12 were properly sanitized.
“There are many stories in which somebody has bought a used computer and found confidential information on it, but nobody has ever quantified the scale of the problem,” said Simson Garfinkel, one of the students. “So we decided to find out.”
Results from the study, which Garfinkel performed with Abhi Shelat, are being published in the January/February 2003 issue of IEEE Security and Privacy. The research suggests that the secondary market is awash with confidential information, although work needs to be done to get more accurate statistics. More than 150 million disk drives were retired from primary service in 2002.
Of the disk drives acquired, 129 were functional. Of these, Garfinkel and Shelat found 28 disk drives in which little or no attempt had been made to erase any information. One of these drives, Shelat says, had apparently come from an automatic teller machine in Illinois and contained a year’s worth of financial transactions.
Attempts to erase information from the drives were usually ineffectual. On many disks, files that would typically be found in the “My Documents” folder had been deleted, but they could be recovered using a simple “undelete” utility. Undelete programs work because deleting a file does not actually overwrite the blocks on the computer’s disk that are used to hold the file’s information.
Roughly 60 percent of the disks were formatted before they were sold, but even formatting did not properly sanitize a disk because the Windows “format” command doesn’t actually overwrite every block–”the format command just reads every block to make sure that they still work,” Garfinkel said. “To properly sanitize the hard drive, you need to overwrite every block.”
On one of the “formatted” disks, Shelat found more than 5,000 credit card numbers.
Roughly 45 percent of the disks contained no files at all and the disks could not be mounted on the computer. Yet the data could still be retrieved by reading each block of the disk using special tools.