More than one in 10 secondhand hard drives sold online may contain recoverable personal information, making people a 'soft touch for online fraudsters', an investigation by the Information Commissioner's Office has found.
Organisations and individuals may be disposing of hard drives without fully wiping data, due to a lack of technical knowledge, the data watchdog said in a report on Wednesday.
"Today's findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices," Information commissioner Christopher Graham said in a statement. "Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered."
An investigation undertaken on behalf of the Information Commissioner's Office (ICO) found that 11 percent of secondhand hard drives contained recoverable personal information.
In December 2010 the ICO commissioned IT assurance company NCC Group to get hold of 200 hard drives, 20 USB memory sticks and 10 mobile phones. NCC Group bought the devices from internet auction sites and at trade fairs, searched them, and then subjected them to forensic examination using tools that were available on the internet.
Negligible personal data was recovered from the phones and USB sticks, said the ICO. In the case of the hard drives, 11 percent contained personal data, 37 percent contained non-personal information, 38 percent of the devices had been wiped, and 14 percent were damaged or unreadable, according to the ICO report.
Around 34,000 files containing personal or corporate data were recovered in total, with six of the drives containing significant amounts of data.
Four of the hard drives contained client and employee data from four organisations, including job applications; copies of passports, birth certificates and driving licences; full bank details; health information; and residence permits.
Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.– Christopher Graham, ICO
Two of the hard drives contained a large amount of personal information about the owner or user, including scanned bank statements, passports and birth certificates, data on driving offences and convictions, medical details, tax information, and family photos.
"There is likely to have been more than enough information on both the identified drives to enable a third party to carry out an identity theft," said the ICO report.
The organisations have taken steps to ensure adequate data disposal, and one of the companies — Safe and Secure Insurance Services Limited — has signed an undertaking to introduce further improvements, said the ICO.
NCC Group found that in the case of bulk purchases, most vendors had taken steps to securely erase the data.
In a separate survey released on Wednesday, the ICO said that one on 10 people who had disposed of a laptop, phone or computer had never deleted personal information.