What do you do with unused devices like old phones and laptops? Do you store them until no further use, and then dispose them off? Or do you leave them unattended and let them rot away? Many of us may also take them to a resale shop without realizing that we are also selling the data present on the device. A research team has found that there are heaps of personal data stored on devices that are no longer used! This personal data left on used laptops, phones, tablets, and desktops may pose a threat.
Josh Frantz’ Experiment
Josh Frantz, a senior security consultant at Rapid7, experimented with old and unattended devices, which is generally considered to be “scrap metal.” For over six months, he collected old devices from pawn shops in Wisconsin. On examining them, it turned out that the devices contained a lot of personal data of its original users, enough to steal ones’ identity. The research included 41 desktops and laptops, 27 removable memory devices, 11 hard disks, and 6 mobile phones. According to him, he collected all this from 31 scrap resellers, for an approximate amount of just $600.
Optical character recognition tool was used by Frantz to scan for personal identity information (PII) like dates of birth, Social Security numbers, credit card details, mother’s maiden name, and other personal data. The junk collected gave Franz a pile of information such as –
41 Social Security numbers, 611 email accounts, 50 dates of birth, 19 credit card numbers, six driver’s license numbers, and two passport numbers. There were more than 200,000 images on the devices, 150,000 emails, and nearly 3400 documents.
Frantz, from his research, concludes that despite the inexpensive experiment, the amount spent to gather and retrieve information was more than what anyone would have made by selling the information on the dark web. The value of data has become so cheap that ample amounts of data can be bought on the dark net for as low as a dollar.
The University of Hertfordshire found in their study that more than two-thirds of used USB devices sold in the U.S. and U.K. have data of those who owned the devices earlier. Among the 100 used drives purchased in the U.S., 64 had deleted crucial data that can be easily recovered.
Destroying data that is no longer required
It is important to note that a file, when deleted on a device, may still be stored somewhere on the memory. The operating system simply makes the file into a space that can be overwritten, rather than remove the record altogether.
Smartphones or tablets can be restored to factory settings before they are handed over to scrap or for an exchange.
Many tools in the market can be picked to sanitize a hard disk. There are also free tools pre-installed with an operating system that function as good as the paid tools.
However, to truly erase data, the hard disk should not be attached to the same operating system. It should be connected as an external hard drive, and then any erasing tool can be run to wipe the data completely from a hard disk.
Destroying used devices
Frantz offers a few suggestions to destroy data and the device using a hammer, industrial shredding, acid, drill press microwave, electrolysis, and thermite. These should be done with proper safety and training. It is not advised to try these methods at home.
There are also data destruction companies that work in compliance with privacy laws like HIPAA. These companies can help destroy your data correctly without any traces left behind.
There are certain devices like CDs or DVDs which cannot be erased or rewritten. These devices should be broken before dumping them.
Data destruction has always been a prevalent issue. If you are an enterprise, then you should have your employees trained to deal with data that they may no longer require. EC-Council’s Certified Secure Computer User (C|SCU) program covers all the fundamental knowledge required to browse and use digital devices securely. The program ensures that the individual acquires knowledge and skill on secure practices for individual use and organizational use as a whole.