Companies expose private data with PC clearouts

You never know what you might find on your second-hand hard disk...

Two graduates from the Massachusetts Institute of Technology have sent out a warning to all computer users and companies about the dangers of discarding old hard disks. The almost improbably named Simson Garfinkel and Abhi Shelat obtained second-hand disks containing all manner of files left over from their previous owners - including pornography and more than 5,000 credit card numbers. One discarded hard drive contained 12 months worth of cashpoint transactions, including bank account numbers. With a strong market for second hand computers and components, these findings serve as a reminder to all users to keep personal files private and ensure the removal of all data when a PC reaches the end of its life span. Just deleting files, and even formatting a hard drive, is not necessarily enough to wipe a disk's content. Garfinkel said: "The format command just reads every block to make sure that they still work. To properly sanitise the hard drive, you need to overwrite every block. Lots of people know it is important to clean drives before you repurpose them, but few people do it because it's hard to do." The pair found that 81 per cent of second-hand hard disks, obtained from shops and online auction sites, still worked perfectly, while 54 per cent of those still contained recoverable files and 37 per cent held important company information. Perhaps most worrying is that this situation is nothing new. One high-profile incident in 2000 saw merchant bank Morgan Grenfell sell a second-hand computer which contained confidential documents about the company's clients - which included former Beatle Sir Paul McCartney. At the time Jon Godfrey, co-founder of IT recycler, Technical Asset Management (TAM), said the incident is typical of the lax attitude of many companies when it comes to wiping data. He warned that these organisations leave themselves seriously exposed to data protection issues as well as business and commercial risks. Garfinkel and Shelat's findings appear in the latest edition of computer industry journal IEEE Security & Privacy.