A good few years ago, I remember doing some research into personal data not being wiped prior to computers being sold or disposed of. I examined drives from devices dumped at the local council tip and hard drives purchased on eBay; the majority contained easily accessible personal data in the days before mainstream encryption gave a layer of protection.
Roll forward and surely this cannot still be happening; users must now be savvy to deleting their personal data prior to disposing of their old computer systems?
Yes, most systems come encrypted by default but securely wiping the drive, as a minimum, prior to disposal, is still a shrewd decision. You would think that those selling on used storage media would be ensuring that drives are securely wiped.
I regularly purchase hard drives from eBay for data recovery projects, or to add to my legacy storage media collection, and I recently purchased a SFF-8784 hard drive for such a purpose.
I have redacted the content that would shame the guilty but this transaction clearly indicates that the relevant drive is wiped.
Now it would not be fair if I had used specialist forensic tools to scrutinise this drive and carve out data from unallocated as this would not be easily accessible but when you just plug in the drive and there is the data then surely, in this day and age, this is unforgivable.
The question is, had the easily identifiable user entrusted somebody to securely dispose of their old system or was it naivety, or gross negligence, on the part of the user. I know the likely reason the drive has not been wiped, the interface is non-standard and you need an adapter to convert to such; clearly the intermediary did not have the technical capability to perform the wipe and just put in the standard ‘’disk wiped" blurb because after all who would notice!
From a hard drive purchased on eBay, I could access the PII relating to a family in South Wales and many others through the user’s business and social activity! This is a data breach.