The Dangers of Second Hand Hard Drives
by Ken Lee
When it comes to selling used computers, many people don’t understand the potential risks that lie within their computer’s hard drive. Many of us store private and confidential data (social security numbers, bank account or retirement info, passwords, etc.) on our hard drives; information that you wouldn’t just carelessly hand over to another person. This, however, is often what happens when people dispose of or sell their old hard drives.
Consider the following examples of second hand drives that were sold with sensitive information still on them.
In a study done by BT Security Research Centre in 2009, more than 300 hard disks bought through computer auctions, computer fairs and eBay were checked for data remnants. Out of the hard drives studied, 34 per cent of the hard disks contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organization’ and a ‘surprisingly large range and quantity of information that could have a potentially commercially damaging impact or pose a threat to the identity and privacy of the individuals involved’.
Last year the State of New Jersey was preparing to auction old computer equipment, where 46 out of 58 hard drives still held data. Thirty-two of the hard drives had information that should not be made public. Six of the drives had Social Security numbers, including those contained in personnel reviews found in an e-mail archive. In some cases, no attempt had been made to erase files. In others, investigators were able to recover deleted files using commonly available software.
The importance of employing proper data removal methods to sanitize used hard drives before disposing of or reselling them cannot be overstated. It’s not only our personal information that is at stake here, it is also information detrimental to our national security. The same case study performed by BTR in 2009 found highly sensitive details of a U.S. military missile air defense system were on a second-hand hard drive bought on eBay. The disk contained security policies, blueprints of facilities and personal information on employees including social security numbers.
It is a common misconception that deleting files through the operating system is an effective way to permanently remove data. This couldn’t be further from the truth. Typically, when a file has been “deleted” the data itself isn’t deleted immediately. What is actually removed are the references in the directory structure that points to the data while the actual data remains on the disk completely intact, waiting to be overwritten at a later time.
Effectively removing data from old hard drives is not impossible or even difficult. There are several easy and established methods for rendering your data permanently inaccessible. Here are three effective methods for ensuring that data on old hard drives doesn’t fall into the wrong hands.
The simplest method for keeping your data from harm’s way is by physically destroying the drive. A properly applied hammer can do the trick here, but if you’re really serious about destroying your data beyond a chance of recovery you can consider taking your drive to a data destruction center where they use industrial strength shredders to turn hard drives into bits of scrap metal and plastic.
This is an easy solution that gives you easy visual confirmation of your data’s destruction; however professional hard drive shredding can be costly. The machines themselves are expensive and data destruction centers can charge hundreds of dollars to dispose of drives. (Chances are you won’t be recouping any of that cost by selling your shredded drive on E-bay, either.)
Mechanical hard disk drives rely on magnetic alignment and orientation to retain data. Industrial degaussing equipment runs drives through strong magnetic fields, causing the hard drive’s magnetic charge to reset to a neutral state. This not only erases the data on the drive, but also erases the factory pre-recorded servo tracks, rendering the drive unusable. A similar result can be achieved by rubbing super strong neodymium magnets in a circular motion over the hard drive platters, but there is no way of knowing whether you wiped all of your data permanently.
Most data destruction centers have degaussing equipment that, like shredding, can cost you hundreds of dollars to use. (And again, the drive will be unusable afterwards so there isn’t much resale value here.)
Secure Data Erasure
Secure Data Erasure can be achieved by using software based or hardware based solutions. Secure data erasure, also known as data wiping, is a method that achieves complete data erasure by overwriting every sector on a drive, including bad sectors. Depending on the solution you choose, the overwrite pattern might be all zeros, all ones or a random pattern of ones and zeros. What’s great about this method compared to shredding or degaussing is that the hard drive will still in usable condition even after the data has been securely removed.
Even after overwriting every sector once, your data may still be recoverable with the right tools. To make recovery practically impossible the U.S. Department of Defense employs a specific disk wipe protocol that many consider the model for secure data erasure. The DoD 5220.22-M standard implements a 3 pass disk wipe, where the first pass overwrites all sectors with zeros, the second pass overwrites all sectors with ones and then during the third pass a random pattern of ones and zeros overwrites all sectors. This is repeated 7 times to ensure that the original data is completely unrecoverable. Many hard drive duplicators also double as disk wiping stations, providing secure data erasure.
Whether you are planning on selling, recycling or throwing away your old hard drives, you should always consider using one of these solutions (destruction, degaussing, or secure data erasure) before getting rid of your old hard drive.
Otherwise, there’s no telling whose hands you data may end up in.