Idaho Power Company sent 230 SCSI hard drives off to Grant Korth salvage to be recycled—without erasing the data first. Eighty-four of these drives, which were packed with confidential company information, appeared for sale on eBay.
Simon Garfinkel of Harvard’s Center for Research on Computation and Society has been buying used hard drives on eBay since 2001, just to see what he can see. And what has he seen? Thousands of credit-card numbers, and enough other information to trace the drives to their original owners.
Last spring a student bought a hard drive once owned by the police in Brandenburg, Germany, for a mere 20 euros. The information on it should only have been accessible to high-level police and intelligence employees.
Now, the sellers of these drives don’t necessarily know what’s on them. If they did, they’d either use the information themselves or ask a hell of a lot more money for them.
There are people who sell or recycle their computers without making any attempt to erase the data, whether through oversight or ignorance. But what’s more common, according to Garfinkel and others who analyze these drives, is insufficient purging of the drives, even when corporate regulations mandate either complete destruction or degaussing of any drives before they can leave the premises. (Degaussing is a technique involving powerful magnets which essentially causes a hard drive, or other magnetic media, to forget everything it ever knew.)
Reformatting your hard drive before giving your computer away will certainly protect you against casual discovery of your passwords, Quicken files, confidential client records, and so forth. But unless you actually overwrite the erased drive with new data, a skilled hacker can still retrieve and reconstruct far too much information. Installing an operating system and tons of programs does a tolerable job of overwriting, as I learned once to my dismay, but to be absolutely certain you have to do a multiple overwrite with meaningless random patterns of data.
That no longer necessarily falls into the “Kids, don’t try this at home” category. There are several commercial software products designed to do this (see the CNET article below for more details), including iSafeguard Freeware for Windows.
So unless you want your data being sold on eBay, make sure you wipe your drive clean before giving away, selling, or recycling your computer or the external drive you’ve been using for backups.
Of course, if the drive has suffered the kind of crash that means even the data recovery specialists can’t get anything off it, you’re safe.
ComputerWorld: “Idaho Utility Hard Drives—and Data—Turn up on eBay”
TechWeb: “Buyers Scour eBay for Data-Rich Hard Drives”
CNET: “Skeletons on Your Hard Drive”
The Register: “Police Hard Drive Sold on eBay,”