Let’s start with the good news. When I asked one of my company’s engineers whether requests for data erasure were on the rise, we found out that there has been a massive rise of 466% over the past year in the UK. This included single device erasure in our labs of mobile phones, tablets and laptops as well as businesses requiring managed erasure services onsite using our Live Environment Erasure (LEE) solutions.
So, what’s driving that escalation in demand for data erasure from servers, drives, computers and mobile devices?
The introduction of GDPR in 2018 is one of the biggest drivers for businesses as organisations prepare for requirements such as the right to be forgotten. We have seen a significant rise in requests for secure erasure services as companies mitigate against the risk of holding the wrong information about employees and customers in the run-up to GDPR.
The increased use of mobile devices both in our personal and work lives is probably the largest factor that an increase in erasure is being sought out though – and with good reason. Today a mobile device will typically carry all manner of sensitive data. On a personal level bank account logins, credit card details, addresses, emails as well as photos and music are stored. But work information from email accounts and login details to secure servers will increasingly be stored on the same device.
Organisations expect employees to work via smartphone, tablet or laptop while out of the office. The majority are aware of the policies required to safely erase data from mobile devices when upgrades are made or devices returned when employees leave the business. But what about devices that the company does not own and personal data that the individual or their employer would not want to fall into the wrong hands?
The Bad News
A recent study shows people too often fail to properly erase personal data in used drives, putting their own and others’ identity and privacy at risk. The global study indicated we are putting our personal information at risk far too easily. My company analysed used drives to see if any traces of data remained after the previous owners sold them. Among the drives we examined, traces of data were found on nearly half. Many of these innocent oversights allowed the new owners critical access into the previous owners’ identity.
Despite user efforts to erase data, it can often be recovered if not done properly. This makes selling personal digital devices a matter of identity protection. The study had an international scope, with a diverse array of countries taking part: the US, Germany, France, Italy, the Asia-Pacific region, Poland and the UK.
For the campaign, we purchased 64 drives from various sources over eBay (private sellers/consumers) and analysed whether the used drives had been successfully wiped clean or still contained any traces of data. The study found that traces of data remained on 30 drives (47 per cent), while the remaining 34 drives had been successfully cleaned (53 per cent).
However, the likelihood of finding access to personal information was not the most concerning finding, but rather how sensitive that information often was. For the careless or uninformed user, selling personal data devices is little more than selling your identity.
The case of one drive epitomised the danger of identifying data traces. The drive had belonged to a company that used a service provider to erase and resell old drives. Despite that, the drive still contained a wealth of highly sensitive information, including user names, home addresses, phone numbers and credit card details. It contained an employee list of around 100 names that included information about work experience, job titles, phone numbers, language abilities, holiday dates and a 1MB offline address book.
The Devil In The Details
Eighteen of the 64 drives examined were found to contain critical or highly critical personal information. Nearly a third (21 drives) contained personal photos, private documents, emails, videos, wedding photos, audio or music. User account information was discovered on eight drives, including log-in data such as first name and last name, contact details, email address, online account names and passwords.
Transactional data was recovered from nearly every seventh drive (nine drives in total). This included company names, salary statements, credit card numbers, bank account info, investment details and tax returns. One drive still contained a record of browser history, while explicit data was located on another.
Risk Extends To The Business World
The personal realm was not the only one affected, as work-related information also finds its way very often onto private devices. As such, business data extracted from the drives was also not in short supply. Six drives were found to contain critical business data such as CAD files, PDFs, JPGs, keys and passwords. We even found full online store setups, configuration files and POS training videos in their scour of these six drives. A further five contained other work-related data: invoices and purchase orders, much of it including sensitive personal information.
Method & Type
The study differentiated between HDD and SSD drives, noting the ever-growing trend toward flash devices (SSD). Though SSD drives were by no means immune to identity risk, they tended to facilitate more successful data wipes. Of the 64 drives purchased in total, 37 were HDD and 27 were SSD drives. Over half of the HDD drives contained traces of data while only a third of the SSD drives did.
The method previous owners used to erase the data on their drives before selling them demonstrated an all-too-common lackadaisical approach. Though erasure methodology could not be determined for every drive, at least eight had no attempt whatsoever directed at deleting its data. The general trend was evident: people are putting their identity and privacy far too easily at risk.
A good method to delete data is low-level formatting, which involves pattern filling drives at the lowest level. This method effectively resets drives back to the factory settings. However, multiple overwrites provide additional security and the best results, especially when data erasure needs to meet specific legal overwrite standards. Professional products distinguish themselves by the following features: independent certifications, using internationally standard algorithms, detailed reporting and traceability of executed deletions.
The Challenges Of Erasing SSDs
SSDs behave very differently from HDDs when saving data to or erasing data from them. These technological differences present their own technical challenges when it comes to securely deleting data from flash storage media. SSDs have several functions that affect the state of the stored data, such as FTL (Flash Translation Layer function), which controls the mapping of files, as well as wear levelling, Trim, Garbage Collection and always-on encryption, all of which influence the recoverability of deleted or discarded data.
Delete Does Not Equal Erase
It is essential that organisations and individuals know what data they have and where it is stored, for businesses this may be a legal requirement, for individuals, failure to do so may leave them exposed to identity theft or fraud. It is essential that any storage device that once had personal information on is erased properly and completely.
In a nutshell; simply deleting data does not erase it. My advice would be to choose a method that suits the specific storage media in question and make sure the process is 100% effective. Good erasure solutions will produce a certificate to verify the results, which is a great way of ensuring peace of mind that no residual data remains on your storage media before reusing, reselling or recycling.