Personal data exposed via eBay storage

A trawl of 150 pieces of removable storage available for auction turned up a rich mix of passwords, letters, phone numbers and addresses

Security codes, passwords, phone numbers and home addresses are being found in storage sold on eBay, according to a UK-based data recovery firm.

Disklabs bought 100 hard drives and 50 memory cards — including SD cards, flash drives, SIM cards and memory sticks — from the auction site. The company said most contained some kind of confidential or personal data including phone numbers, email addresses, letters and even temporary files created by Internet browsers which contained passwords for online banking.

The drives and memory cards found on eBay are normally sold by people upgrading their PC or changing mobile phones. Sellers who don't delete data properly are risking personal and security details being passed on to the buyer.

Disklabs said in most cases users had just turned to the delete key to remove data, not knowing that for PCs and many other digital devices all this does is apply a label that says these sections of storage can be over-written, rather than removing the data in question. This supposedly deleted data can remain intact for a long time.

Wiping data before discarding is not just a matter of personal security — it's also a matter of national and international security. For example, a police hard drive containing confidential data from the Brandenburg police in Germany was sold on eBay in April according to a report by Der Spiegel,  a weekly German newspaper.

Experts say the problem is that most users don't realise that simply wiping the hard drive is often not enough. "For people who want to sell or donate a computer, who are trying to protect their cheque book or medical info, you can expect to protect yourself against all but the most sophisticated attacks with wiping," said Stephen Lawton, the director of marketing at Acronis, a maker of wiping tools, backup and recovery software, back in April. "But you have to use the software the right way."

Last year a customer database and current access codes to the secure intranet of one of Europe's largest financial services groups was left on a hard disk offered for sale on eBay. The disk was then purchased for £5 by mobile security firm Pointsec.

Most businesses are guilty of not clearing data on storage disks before removing it. A study last year by UK PC recycling firm Remploy e-cycle showed that data is erased from less than a quarter of discarded PCs, while 75 percent of firms sold or gave away unwanted PCs but only 23 percent of these wiped hard disks before getting rid of old computers.