Old tech still not properly wiped
Rapid7 researcher Josh Frantz purchased 85 old gadgets from businesses and finds only two properly wiped devices. In total, he paid $600 for an aging collection of old computers, flash drives, phones and hard drives. What he found was that despite decades of the IT community urging consumers and businesses to properly wipe digital gear ahead of disposal, hardly anybody does. Frantz got data off of 80 devices he purchased from thrift stores and resale shops. Only two devices were wiped properly, and three devices were encrypted. He found 214,019 images, 3,406 documents and 148,903 email messages.
After extracting the data, Frantz used custom scripts that automated his forensic analysis. He used pyocr to try to identify Social Security numbers, dates of birth, credit-card numbers, and phone numbers on images and PDFs. He then used PowerShell to go through all the documents, emails and text for for the same type of information. He ended up collecting 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit-card numbers, six driver’s license numbers and two passport numbers. What was interesting is that most of the credit card numbers were from scans or images of the front and/or back of the card. He also found two passport numbers were also scanned into the computer.
What's interesting is that the estimated the black-market value of the data he salvaged, he wouldn't have broken even if he sold the information on the Darknet. In all he spent $600 on devices and $50 on three proprietary cellphone chargers. Frantz realized just how cheap it is to buy people's information on the Darknet. Social Security numbers can be bought for about a buck apiece, while full documents cost around $3 each. No matter how he calculated the value of the data, he would never recoup our initial investment of $600.
What this highlights is that data leakage/extraction is so common that it has driven down the cost of the data itself. His findings were similar to a study conducted 16 years ago at the Massachusetts Institute of Technology. Two graduate students bought 158 hard drives on EBay and from online shops. Of 129 drives that worked, 69 had recoverable files and 49 contained personal information, including 3,700 credit card numbers and medical data. Only 12 of the usable drives had been properly wiped.
When donating or selling your technology, you should be sure to wipe it yourself rather than relying on the seller to do it for you. That holds true today as it did when it was advised 16 years ago. Users must be educated about the proper techniques for erasing disk drives. Organizations must adopt policies for properly erasing drives on computer systems and storage media that are sold, destroyed, or repurposed. If military spec wiping just won't cut it, permanently destroy the data by destroying the device.