Do you think of any leftover personal information when you are disposing of your old device? As it turns out, 40 percent of hard drives, mobile phones and tablets offered for re-sale contain personally identifiable information, analysis by NAID (National Association for Information Destruction) and CPR Tools reveals. To be more specific, NAID commissioned SPR tools to analyze the devices.
The study showed that 40 percent of devices offered for sale in publicly-available resale channels had personally-identifiable information within. Devices previously deployed in commercial and personal environments were included in the analysis.
Devices Disclosing PII
Interestingly, tablets are on top of the list of recoverable PII with 50 percent, followed by hard drivers with 44 percent, and finally mobiles phones with 13 percent. This makes to 40 percent of devices revealing PII.
According to John Benkert, CEO at CPR Tools:
As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data. Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.
Recoverable PII: What Type Was Successfully Recovered?
Recovered PII included credit card information, contact information, user credentials (usernames and passwords), personal data, company data, tax details, etc.
Robert Johnson, NAID CEO, says that the results of the study are not affecting the reputation of commercial services providing secure data erasure. “We know by the ongoing audits we conduct of NAID Certified service providers that when overwriting is properly done, it is a trustworthy and effect process. The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves,” Johnson concluded.
Similar studies have been performed in the past, but this one is quite unique due to the recovery process employed to locate the data on more than 250 devices. The process was not sophisticated and it did not require advanced forensic training.