Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

InfoSec 2012: One in 10 second-hand hard drives contain personal data

An investigation by the ICO reveals that businesses are failing to wipe hardware before selling it on

Article comments

The Information Commissioner’s Office has published a report revealing that one in ten second-hand hard drives sold online contains residual personal data, with some containing scanned bank statements, passports, information on previous driving offences, and medical details.

The report is based on a “mystery shopper” exercise carried out by NCC Group on behalf of the ICO. The organisation sourced 200 hard drives from a mixture of internet auction sites and computer trade fairs. The devices were initially searched without any additional software, and then interrogated using forensic tools freely available on the internet.

The research found that, while 52 percent of the hard drives investigated were unreadable or had been wiped of data, 48 percent contained information and 11 percent of that data was personal. In at least two cases the hard drives contained enough information to enable someone to steal the former owner’s identity.

“We identified 34,000 files containing either personal or corporate information – ample material to compromise the security of individuals and to allow fraud to take place,” said Information Commissioner, Christopher Graham, in a keynote session at the Infosecurity Europe event.

Four of the hard drives contained enough information for the ICO to identify the organisations they had originated from. Graham said that the ICO is now investigating with those organisations how the breaches happened and whether they have effective policies in place.

The ICO published a survey alongside the report, revealing that one in ten people who have ever disposed of a mobile phone, computer or laptop, said that they had never deleted information held on a device before disposing of it, potentially allowing their data to be accessed by the next person who used it. 

“Many people will presume that pressing the delete button on a computer file means that it is gone forever,” said Graham. “We wanted to sound the alarm, and let consumers know that this information can easily be recovered.”

Commenting on the findings, Ollie Hart, head of public sector UK & Ireland at security firm Sophos, said the research highlights the need for better education around data protection – particularly within the enteprise.

“It’s disappointing to see yet another example of organisations either not caring, or not understanding their obligations,” he said. “Ultimately, it is the responsibility of organisations to ensure that the data they are entrusted with is stored responsibly, whether that be centrally or locally.”

The ICO has itself been the subject of scrutiny, after a Freedom of Information (FoI) request by communications company ViaSat UK, which revealed that public sector organisations are more likely to be fined for data breaches than private sector.

Responding to the criticism, Graham said that the ICO only issues civil monetary penalties in the most serious cases, where sensitive personal information was at stake

“I absolutely haven’t got it in for the public service. I’m simply trying to enforce data protection in the most effective way possible,” said Graham. “I’d much prefer to have the power to audit rather than having to rely on the power to fine.”


More from Techworld

More relevant IT news


Jeremy Epstein said: This isnt new - Simson Garfinkel did an extensive study about 10 years ago on this topic For example see his invited talk at USENIX Lisa 2004 - wwwusenixorgeventlisa04teWhat is surprising is that 10 years on the problem still exists and that people havent learned their lessons

Nick said: The stats sounds just about right to match the IQ bell curve

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *