As an individual, you might have an old smartphone or tablet sitting around your house collecting dust. Before recycling it, you hire a company to wipe the drive clean of any personally identifiable information. With the storage on today\u2019s smartphones, there could be credit card information sitting in the background.You feel relieved as you pass off the device to be cleaned. A load off your shoulders, you have taken another item out of your house that was cluttering up the living room. Right? Well the device might be gone, but the data might still live on.The National Association for Information Destruction (NAID) found such in a recent study that revealed 40 percent of the devices the group bought on secondhand markets had PII on them. NAID, which is an international watchdog trade and non-profit trade association for the secure destruction industry, conducting the study in the first quarter of this year.NAID used CPR Tools data recovery services to investigate each device. The task was to perform basic data forensic transfer from working storage devices specifically using commercially available tools. In this study, the devices inspected were intended to be a representative view of what typical users own and thus discard: smartphones, tablets, and hard drives.\u201cAs data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data,\u201d states CPR Tools CEO John Benkert. \u201cAuction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.\u201dThe devices can be found on the secondhand market, on sites such as eBay and Amazon. Organizations are required to destroy such information prior to disposal, any organization permitting undestroyed information to pass to an unauthorized person or organization is violating the law.According to NAID, recycled IT equipment is supposed to go to a qualified service provider specializing in secure data destruction, and obtain legally binding assurance that the recycling is accepting that responsibility. Too often, the organization claims to be erasing the data but the contractual fine print (or terms and conditions) disavow any legal responsibility; instead, stating it is the responsibility of the individual to remove the data first.Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.CPR Tools CEO John Benkert\u201cA 5-year-old with some free software off of the web could have done it,\u201d Benkert said. No specialized hardware or physical repairs were made to any of the more than 250 devices.PII recovered included credit card information, contact information, usernames and passwords, company and personal data, tax details, and more. While mobile phones had less recoverable PII at 13 percent, tablets were found with the highest amount at 50 percent. PII was found also found on 44 percent of hard drives.NAID reported it recovered the following PII data from the hard drives:Credit card informationNamesAddressesPhotographsVideosEmailsUsernames (files named users.doc etc)Passwords (files named passwords.txt etc)Company and Personal financial informationPhysical navigation historyInternet navigation historySocial media credentialsTax informationNAID recovered the following PII data on smartphones:NamesPhone numbersAddressesAnd the following PII data was recovered from the tablets NAID received:Credit card informationNamesAddressesPhotographsEmailsUsernames (files named users.doc etc)Passwords (files named passwords.txt etc)Physical navigation historyInternet navigation historySocial media credentialsRobert Johnson, NAID CEO, points out that while this study\u2019s results show a decrease in data found compared to past studies, \u201cNAID employed only basic measures to extract data \u2013 imagine if we had asked our forensics agency to actually dig!\u201dHe goes on to surmise that \u201c40 percent is horrifying when you consider the millions of devices that are out there.\u201dJohnson cautions that the results are not an indictment of reputable commercial services providing secure data erasure. \u201cWe know by the ongoing audits we conduct of NAID Certified service providers that when overwriting is properly done, it is a trustworthy and effective process. The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.\u201dNAID noted that there has been a history of criminals buying devices on the second-hand market for the sole purpose of gathering PII. One report of second-hand equipment being sent for processing to Nigeria was linked to an organized effort to mine the equipment.We won't wipe your comments, head to Facebook to add them.