Are you relying upon data erasure or hard drive shredding for you e-security needs? An eye-opening new study was just released that may have you thinking twice about the effectiveness of hard drive erasing or wiping. The study, conducted by Kroll Ontrack and Blancco Technology Group, analyzed both used mobile devices and hard drives being sold on Amazon, eBay and Gazelle to determine whether they held any residual data from their previous owners. They found that more than half of the mobile devices and 75 percent of the drives had not been completely erased,
and that some of the devices held data that revealed the identify of their original users. Physically shredded hard drives could not be found on eBay for our study.
The comprehensive study looked at over 100 devices that had come from the United States, the United Kingdom and Germany during the summer of 2015. They included mobile devices, solid state and hard disk drives, with almost half of the drives found to contain some data and over one third of the mobile devices retaining emails, texts and SMS messages, photos, videos and call logs. This was true despite the fact that deletion attempts had been made on 57 percent of the mobile devices and 75 percent of the drives, a fact that was noted by the study’s sponsors in their press release. “Even more compelling was the discovery that those deletion attempts had been unsuccessful due to common, but unreliable, methods used leaving sensitive information exposed and potentially accessible to cyber criminals.” According to Paul Henry, IT security consultant for Blancco Technology Group, “Whether you’re an individual, a business or a government/state agency, failing to wipe information properly can have serious consequences.”
The failure of data erasure methods points to the need for more effective security measures, particularly for those businesses that handle sensitive information such as patient medical records that require HIPAA compliance. As Henry says, “One of the more glaring discoveries from our study is that most people attempt in some way or another to delete their data from electronic equipment. But while those deletion methods are common and seem reliable, they aren’t always effective at removing data permanently, and they don’t comply with regulatory standards. There’s no better example of this danger than the findings of a recent state audit, which found that twelve U.S. state agencies responsible for handling taxes, programs for people with mental illness and drivers’ licenses used inadequate methods to attempt to wipe information.”
Echoing Henry’s thoughts, Todd Johnson, vice president of Data Recovery Operations for Kroll Ontrack said, “Manually deleting data or simply logging out of a mobile device app does not erase data from the device. Deleting data simply hinders the ability for the mobile device to locate the data – the actual data still remain and can be recovered. In the case of hard drives and solid state drives, formatting to securely delete data can lead to varying results, as each operating system performs the action differently.”
The study found specific failings in the available data deletion services that the devices had been subjected to, including:
When end users execute basic file-deletion commands they are left with a false sense of security about their efforts. The study found that eleven percent of the drives being sold had only undergone a basic delete, leaving 444,000 files available.
Similarly, users who had employed reformatting methods on hard drives left behind data. This unreliable method was found to have been used on 61 percent of the drives from which data could still be extracted.
The data that was left over on drives and mobile devices included emails and messages that were easily retrievable and potentially damaging – personally, financially and legally – to the companies and employees that had originally used them.
The study confirms what those in the data security field have long suspected – that the most secure form of data destruction is the physical shredding of hard disk drives and the secure and responsible disposal of retired electronics and computer equipment. E-Waste Security is certified by NAID and provides data destruction compliant with HIPAA, PCI DSS and NIST 800-88 data destruction guidelines. To provide your organization with the highest level of security, contact us today to learn more about our services. For data destruction in Orange County, Los Angeles and San Jose, CA