Several techniques used by businesses and individuals to purge mobile devices, laptops, and storage devices of data before disposing of them are not as effective as imagined.
Methods like formatting the hard disk, using file deletion commands, and manual data deletion often leave a dangerous amount of residual data on a system, contrary to what the device owners might assume, according to the findings of a new Blancco Technology Group and Kroll Ontrack study on the effectiveness of data deletion methods in systems resold online.
The findings are no surprise, says Paul Henry, an IT security consultant at Blancco, but they underscore the continuing disconnect that exists between perception and reality when it comes to proper data deletion.
Many businesses and individuals still don't fully understand data erasure methods and end up leaving behind residual data on systems they resell, he says.
Enterprises that take a lax approach and fail to monitor how, when, and where all of the data from their equipment is removed before it’s discarded, reused, or recycled, are exposing themselves to trouble. “If they fail to obtain actual verification that all data has been removed permanently, it’s simply irresponsible and can cause serious financial, legal, and reputational damage,” Henry says.
Kroll and Blancco purchased a total of 122 used hard disk drives, mobile devices, and solid state drives from eBay, Amazon.com, and Gazelle.com and examined them for traces of residual data. The review showed that 48%—or nearly half—of the hard disk drives and solid state drives had residual data on them, including personal and work emails, business presentations, and other documents.
Similarly, about 35% of the mobile devices examined had residual data on them, including leftover emails, texts, SMS, instant messages, and call logs. Researchers who conducted the study were able to retrieve over 2,150 emails as well as 10,838 text, SMS, and instant messages. In a handful of cases, the devices contained video as well.
Interestingly, attempts had been made to wipe data in 75% of the hard disk and solid state drives found with residual data. Around 57% of the mobile devices with residual data showed that a similar attempt to clean the devices had been made before they were sold.
The numbers show that a majority of those selling used computers, hard drives, and mobile devices online are making an attempt to clean the equipment first, but are not entirely successful in achieving that goal.
In the case of hard drives, 61% of the sellers used quick formatting, about 14% favored reformatting their drives, while 11% employed either a random data overwrite or a basic delete. About 3% of the sellers reinstalled their software in an apparent attempt to delete data.
With the exception of random overwrites, none of the other approaches were successful in getting rid of all the data on the devices. Sellers who used the random overwrite method were the only ones successful in completely wiping their devices clean of residual data.
The mobile devices that were studied, meanwhile, showed that the sellers had attempted to manually delete data on their systems or had simply logged out of their applications in an attempt to erase data. But such actions only make the task of finding the data on the device harder. They do not completely erase the data, the study by Kroll and Blancco noted.
Resetting the device to its default, factory settings can be effective, but not in all cases, the report added.