Mimi Onuoha | Quartz | May 10, 2017 | 0 Comments

You Probably Are Not Fully Removing Your Private Photos and Data Before Selling Your Old Technology


Old email addresses, thousands of credit card numbers, love letters and even pornography: these are just some of the data researchers have found left behind on devices for sale on the secondhand market.

These results are concerning for the National Association for Information Destruction, the international trade association for the secure information destruction industry. NAID’s mission is to help companies meet regulatory standards for data erasure set by the Defense Department and the National Institute of Standards and Technology.

CEO Bob Johnson told Quartz private data can be successfully removed from old devices, but many resellers just don’t take the necessary precautions to delete it. E-waste not stripped of sensitive information can be an easy target for identity theft.

In a 2017 survey, one of the largest of its kind in recent years, the association looked at 258 mobile devices, tablets and computer drives and used only the most basic measures to try to extract data. They found that 40 percent of devices resold in “regular commerce channels” (think Amazon, eBay and second-hand stores) contained personally identifiable information like tax details, usernames, passwords, company and personal data.

These findings have been replicated over and over in the last 14 years by various researchers. It’s not just individuals who are lax about removing data; companies around the world are at fault as well. In a 2007 study researchers in Canada obtained 60 secondhand drives that had previously belonged to health care facilities. They were able to recover personal information from 65 percent of the drives. The data included, in the words of the researchers, “very sensitive mental health information on a large number of people.”

Think of all the data.

A 2006 study of 200 hard drives obtained in the U.K. by the British Telecommunication’s Security Research Center and Edith Cowan, 20 percent contained enough information for individuals to be identified, 15 percent contained information of a “personal nature” and 10 percent contained financial information on the organization or individual from which they had originated. One hard drive still contained data about the plans for a classified missile system designed and built by weapons manufacturer Lockheed Martin.

Even as far back as 2003, two MIT graduate students purchased 150 previously-owned hard drives from secondhand markets to see if there was still personally identifying information on them. Of the 150 hard drives, only 9 percent had been properly cleared of their previous owners’ data. From the remaining drives the researchers were able to use computer forensic techniques to find old email addresses, credit card numbers, fax templates, love letters and porn.

Johnson says there are some cases where it might make more sense to destroy rather than resell old drives and devices, because it would require extreme effort to even attempt to retrieve data from the hard drive.

Meanwhile, there are more than 1,200 U.S. companies with NAID membership who follow regulations for data erasure. So if you have sensitive information on an old hard drive or device, it may be worth your while to get it in the hands of a company that follows the federal standards for deleting data before reselling it.

According to Johnson, this simple act could have helped all of the consumers whose private data lives on in second-hand remnants: “Had they sent it to a qualified company to sanitize it, and that company knew what they were doing, you would not be able to get data off that drive. Even the NSA would not be able to get data off that drive.”


Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.