You can still buy hard drives full of other people's data, but SSDs are less risky

Kroll Ontrack bought hard drives and SSDs on eBay and found almost half still had business and personal data on them.

kroll ontrack
Image: Kroll Ontrack

Kroll Ontrack has just repeated one of the most time-honoured stories in technology journalism: buying old hard drives and finding both business and personal data on them. In this case, the story was enhanced and updated by the acquisition of SSDs as well as traditional hard drives (HDDs). The useful finding was that the SSDs were a bit more secure.

The company bought 64 drives on eBay: 27 SSDs and 37 HDDs. It found that "over half of the HDD drives contained traces of data while only a third of the SSD drives did."

"Though SSD drives were by no means immune to identity risk, they tended to facilitate more successful data wipes," said Kroll Ontrack. The "SSDs have several functions that affect the state of the stored data, such as FTL (Flash Translation Layer function), which controls the mapping of files, as well as wear levelling, Trim, Garbage Collection and always-on encryption, all of which influence the recoverability of deleted or discarded data."

Krolll Ontrack bought drives in several countries, including the USA, Germany, France, Italy, Poland and the UK. It found traces of data on 30 drives (47 percent), but the other 34 drives (53 percent) had been cleaned successfully.

There were only eight drives where the company was sure there had been "no attempt whatsoever directed at deleting its data". However, six drives contained "critical business data such as CAD files, PDFs, JPGs, keys and passwords. Kroll Ontrack even found full online store set ups, configuration files and POS training videos in their scour of these six drives. A further five contained other work-related data: invoices and purchase orders, much of it including sensitive personal information."

One company had "used a service provider to erase and resell old drives. Despite that, the drive still contained a wealth of highly sensitive information, including user names, home addresses, phone numbers and credit card details. It contained an employee list of around 100 names that included information about work experience, job titles, phone numbers, language abilities, vacation dates and a 1MB offline address book."

This is rather boring compared with Missile data found on hard drives, when researchers bought 300 hard drives in 2009, or finding NHS hospital data that resulted in a £200,000 fine. There are other examples on the Residual Data on Used Equipment page at the Forensics Wiki.

Although statistics can be useful, nothing attracts press coverage like finding something really scandalous, and we can only wish Kroll Ontrack better luck next time....

There are lots of different ways to erase data, and Kroll Ontrack - which specialises in data recovery - suggests low-level formatting as a good way to wipe drives.

Because of the potential fines, companies that have to handle significant numbers of redundant drives may well need a service provider who is 100 percent reliable. If they have to do the job themselves, standalone hard drive erasers could be the most cost-effective option, because they deskill the process for a modest sum.