InfoSec 2012: One in 10 second-hand hard drives contain personal data

The Information Commissioner’s Office has published a report revealing that one in ten second-hand hard drives sold online contains residual personal data, with some containing scanned bank statements, passports, information on previous driving offences, and medical details.

The report is based on a “mystery shopper” exercise carried out by NCC Group on behalf of the ICO. The organisation sourced 200 hard drives from a mixture of internet auction sites and computer trade fairs. The devices were initially searched without any additional software, and then interrogated using forensic tools freely available on the internet.

The research found that, while 52 percent of the hard drives investigated were unreadable or had been wiped of data, 48 percent contained information and 11 percent of that data was personal. In at least two cases the hard drives contained enough information to enable someone to steal the former owner’s identity.

“We identified 34,000 files containing either personal or corporate information – ample material to compromise the security of individuals and to allow fraud to take place,” said Information Commissioner, Christopher Graham, in a keynote session at the Infosecurity Europe event.

Four of the hard drives contained enough information for the ICO to identify the organisations they had originated from. Graham said that the ICO is now investigating with those organisations how the breaches happened and whether they have effective policies in place.

The ICO published a survey alongside the report, revealing that one in ten people who have ever disposed of a mobile phone, computer or laptop, said that they had never deleted information held on a device before disposing of it, potentially allowing their data to be accessed by the next person who used it.

“Many people will presume that pressing the delete button on a computer file means that it is gone forever,” said Graham. “We wanted to sound the alarm, and let consumers know that this information can easily be recovered.”

Commenting on the findings, Ollie Hart, head of public sector UK & Ireland at security firm Sophos, said the research highlights the need for better education around data protection – particularly within the enteprise.

“It’s disappointing to see yet another example of organisations either not caring, or not understanding their obligations,” he said. “Ultimately, it is the responsibility of organisations to ensure that the data they are entrusted with is stored responsibly, whether that be centrally or locally.”

The ICO has itself been the subject of scrutiny, after a Freedom of Information (FoI) request by communications company ViaSat UK, which revealed that public sector organisations are more likely to be fined for data breaches than private sector.

Responding to the criticism, Graham said that the ICO only issues civil monetary penalties in the most serious cases, where sensitive personal information was at stake

“I absolutely haven’t got it in for the public service. I’m simply trying to enforce data protection in the most effective way possible,” said Graham. “I’d much prefer to have the power to audit rather than having to rely on the power to fine.”