One in 10 secondhand hard drives contain recoverable personal information

One in 10 secondhand hard drives contain recoverable personal information

Summary: I recommend three ways of erasing a hard disk drive.

TOPICS: Hardware

Research carried out for Britain's Information Commissioner's Office (ICO) by NCC Group found that 11 percent of secondhand hard drives contain recoverable personal information belonging to the original owner.

A total of 200 hard drives bought from Internet auction sites and trade fairs were examined, and the results are quite shocking. 11 percent were found to contain personal information belonging to the previous owner, while another 37 percent had what is described as "non-personal" information. Only 38 percent of the drives had been properly wiped, while a further 14 percent were damaged and unreadable.

Of the data recovered, some 34,000 files were found to contain highly sensitive information, including scanned bank statements, passports, birth certificates, employee information, full bank details, family photos, and medical information.

According to Graham Cluley, senior technology consultant at security firm Sophos, "such incidents aren't always the fault of the company who owned the hard drives," and they could be the fault of a third party organization used to handle the secure disposal of assets.

"But it's always us, the unfortunate member of the public," he adds, "who is most exposed by the sloppy practice."

I recommend three ways of erasing a hard disk drive (HDD). The first is to use software solution such as DBAN to erase the drive. This method can be very time-consuming and the drive has to be attached to a PC for the entire operation, which can last for hours. It is, however, a cheap -- the software is free -- and very effective way of erasing a hard drive.

Wiping a hard drive with DBAN

Image Gallery: Wiping a hard drive with DBAN Image Gallery: Charge Image Gallery: Charge
Another method is to use a hardware drive eraser, such as Drive eRazer Ultra from WiebeTech. This is a simpler solution because you don't need a PC for the job. You just connect the drive to the driver eraser tool and let it do its job. It can still take hours, but as least you're not tying up a PC during the process. Investing in a hardware eraser is worthwhile if you have a number of drives to erase or a involved in PC repair.

Finally, there's the tried and trusted method of taking a hammer and a six-inch nail and hammering the nail through the drive a few times. Drives are actually quite soft and the nail goes through pretty easily. Just make sure to wear eye protection and gloves, and make sure that you don't nail the drive to your floor!

With dead drives, many times there's no alternative other than to use the hammer and six-inch nail method, as both the software and hardware erasure tools require a functioning hard drive.

Erasing Solid State Drives (SSD) is a lot trickier. Unless the SSDs are encrypted then the most secure file deletion method can leave more than 4 percent of the original data recoverable. If the drive in encrypted then the best way to erase it is to delete the encryption keys from the Key Storage Area (KSA) and then overwrite the entire disk with a full DoD-compliant erasure tool. Consult your SSD or encryption utility's user manual for information on how to erase the KSA.

Image credit: DBAN/WiebeTech

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • All your pr0n....

    ... Are belong to me? 1 in 10 is still too high of a statistic. :/
    The one and only, Cylon Centurion
    • Considering what it takes...

      to properly erase a hard drive, I'm surprised that number is that low.
  • I still prefer...

    a 357 Magnum :-)
    • Rodger that...

      more fun and louder!
  • Here's A Better Method

    How to erase a hard drive:

    1) Download a Linux livecd. Any will do.

    2) Open a root shell and type:

    dd if=/dev/urandom of=/dev/sda

    (where sda is the name of your drive. Change it accordingly)

    3) Watch TV

    4) Done. You now have a fully overwritten drive where no data can be recovered.

    Why this this better than Dban? Because Dban wipes the drive an unnecessary number of times and takes forever and a day because of it. Research has shown 1 pass is enough to make data unrecoverable on ERPML drives (most spin drives).
    • errr

      How can it be better if you have to use linux ....
      Scarface Claw
    • By the way ....

      DBAN (which I consider excellent) is based on Linux.
      da philster
    • You lost the entire computing public...

      ... at "Open a root shell".
    • DBAN has options

      It's easy to use and you can use a variety of wiping methods, from a simple write zeros and write random to more complex schemes which really aren't necessary these days.
      Quick guide - Launch DBAM, hit enter for custom options. Hit M to change method. Hit V to turn verify off (not necessary), and hit F10 to start. And you don't have to know how to open a root shell.
  • I like this method

    I like this method personally.
    • Now that is what I call therapy!!!

  • A couple of useful freeware utilities to add

    HDD: [b]HDDErase[/b] from Gordon Hughes @ UCSD CMRR

    SSD: [b]Parted Magic [/b]from Patrick Verner @ SourceForge
  • Weird

    I would have expected closer to 1 in 2. Maybe we are making progress?
  • Turning the screw

    I use a screwdriver to pry open the case and expose the platters. Then I use a hammer to drive the screwdriver into the platters. This works especially well on drives with glass platters. But even the ones with metal platters will be very difficult to read. :)
    Robert Hahn
    • I use the platters as coasters

      They look and wear a lot better than the transparent CD/DVD R discs in bulk paks.
  • Surprise

    Well, I'm surprised! Are they actually saying that 90% have been properly wiped? I would have expected the situation to be a lot worse than that.
  • People just don't understand.

    I live in the boonies and people around here just throw the damn thing in the dump when it quits. Friends of mine pick them up and and bring them to me for parts.
    Lots of times it's just a matter of cleaning out all the viruses and the computer works fine with all their private info for me to see. I tell the former owners and they say gee I thought it was dead. They just didn't know. Now those same people give me their old computers so no one else gets their info and are glad to recover all their pitures.

    As far as wiping a hard drive I just format it and overwrite with Linux and besides nobody around here has anything that important on them anyway.
    Rick Sos
    • I can relate to this

      I scavenged two or three 40-60 GB drives at a dumpster where I work and peeked into them using a HD adapter. Loads of personal info including some "x-rated" photos of the previous owner's spouse. I wiped the information since I wasn't in a blackmailing mood :-)

      BTW, destruction works but the premise of this article dealt with used drives from auction sites and computer fairs. People who had these drive apparently were planning to USE them not destroy them.
  • also surprised

    I am surprised it is not substantially higher than that.
  • People Who Destroy HD's are Stupid

    Why destroy one when you can just overwrite it once with random data?