"Erased" Hard Drives Can Bite You

USA Today

By Jefferson Graham
USA Today
Feb 2003

Imagine this chilling scenario: You buy a new PC and donate the old one to charity, knowing you've protected your privacy by deleting all your old files - or better yet, you erase the hard drive by reformatting the hard drive and wiping it clean.

Yet you later discover you're a victim of identity theft: Your Social Security number, driver's license ID, credit card account information and tax records all were retrieved from the old hard drive.

Far-fetched? Not really, Simson Garfinkel says. The privacy expert and MIT grad student recently bought 158 old hard drives on eBay as an experiment with fellow student Abhi Shelat to see how much data was recoverable.

Their findings: More than 5,000 credit card numbers, financial and medical records, personal e-mail and pornography were easily obtainable on the drives.

Erase the Hard Drive Tip #1:
Properly Sanitize the Hard Drive before giving it away

"People need to understand that when they throw away a hard disk, they have to take extreme measures to properly sanitize it," Garfinkel says. "If they don't, there's nothing to prevent someone from accessing that information."

What makes this whole scenario even scarier is this sad fact: The information on a hard drive is a lot like Jason in Friday the 13th. You keep on killing it, and you think it's truly gone, but the data are never truly at rest.

"As long as the hard drive is working, there's nothing you can do short of taking a sledgehammer to it to make sure the data are really gone," says Ben Carmitchel of ESS Data Recovery. "For every technology developed to erase the hard drive data, it's our job to counter that."

Erase the Hard Drive Tip#2:
Use a tool that has been certified to permanently erase the hard drive data

[Recently, 5 tools have been certified to truly erase the hard drive data, including WipeDrive from WhiteCanyon Software.]

Carmitchel spends his weeks trying to recover hard drives supplied by businesses - drives that have been subjected to fires, floods and lightning.

The process can take 40 to 50 hours for each hard disk and can cost businesses $300 to $2,000. "This isn't the sort of thing that anyone can do," he says.

But many, as Garfinkel and Shelat proved, are getting good at it. Even those non-professionals found that with 51 of the hard drives that were clean, 19 had easily recoverable data.

Erase the Hard Drive Tip #3:
Erase hard drive data to reduce help identity theft

The Federal Trade Commission recently reported that complaints about identity theft nearly doubled in 2002. Last week a bill was introduced in the Senate to make the process tougher, partly by shielding information that can be shared on the Internet.

And if you've been keeping up with the news, the almost weekly barrage of images of notable figures on child porn charges relating to images they might have viewed or had housed on their computers points to the potential dilemma shared by millions in terms of deleting data. They did not properly erase the hard drive.

"Anyone who uses the Internet a lot is invariably exposed to questionable images and probably has them still on his or her computer without realizing it," PC World Magazine's Andrew Brandt says. "If you fear you're an enemy of the state, throwing away your hard drive will only get you into more trouble," Brandt says.

"When we arrest a suspect, the first thing we do is confiscate the computer and hand it over to the high-tech forensic team," says Detective Sean Pierce of the San Jose Police Department's Internet Crimes Against Children unit. "They can find anything, even if it has been deleted and reformatted."

Erase the Hard Drive Tip #4:
Deleting a file simply tells the computer that area is available for fresh data

That's because when you try to erase the hard drive by simply deleting a file from a computer, what you're really doing is erasing the address from a directory and telling the computer that the area is available for fresh data.

"The data is still available, and the drive writes over it, but not completely," says Martin Parry of hard drive manufacturer Maxtor. "Only recording over this data many times with a random series of ones and zeroes will remove the original."

You could disassemble your computer, try to erase the hard drive and then throw the hard drive away, but as Garfinkel proved, the information is still easy to come by. You could rent a boat and throw it overboard into the Pacific Ocean, "but if it was dug up, it would still work," Parry says. "The surface of the disc has a layer of carbon which acts as a lubricant. Dry it off, and the data will still be read."

If you're still planning on bringing in your old PC to one of the USA's Goodwill Industries stores, think again. "Based on the MIT study, we're reviewing our policies about accepting computers," says Goodwill's Christine Nyirjesy Bragale.

Currently, many Goodwill locations will take only recent-model computers, because the older ones don't sell. And before they go onto the floor, Goodwill deletes all personal data from the hard drives.

But now, "if people's records can be picked up so easily, we'd be a conduit to that," she says. "That raises major concerns."

Hard Drives Exposed

PC World Magazine

By Tom Spring
PC World Magazine
May 2003

It's a chilly March Saturday at the Pit, a concrete holding pen for abandoned computer parts and drives at the Needham, Massachusetts, town dump. Nearby, three locals wait patiently in their idling cars.

An SUV pulls up. Driver James Curtin grabs an old PC from the back and puts it into the Pit alongside other drives, CRT monitors, and old computer chassis. Slowly the other men exit their cars and walk toward the discarded computer--one with a screwdriver in hand.

For these PC scavengers, the Pit is a gold mine for drives, memory chips, processors, and other components that they use to build PCs on the cheap. But they also routinely find something else: business and personal data that prior owners have left on discarded drives.

• "[On] almost every hard drive I pull, I'll find a tax return or a resume," says David Burns, who describes himself as a Needham regular.

The lesson for PC users? Old drives don't always die--or fade away. Often they are salvaged and reused in other computers. And when that happens, the drive data and sometimes-grimy secrets of previous users go with them.

Properly sanitizing a drive before giving away or reselling a computer requires only a small investment of time and an inexpensive disk-erasing tool. But many people don't even do minimal cleanup.

Drives--Data Galore

An examination of ten drives we bought or salvaged in the Boston area disclosed a wealth of sensitive data. On all but one of them, we found data, including confidential business, medical, and legal records; Social Security, credit card, and bank account numbers; e-mail; and even pornography.

Most of the information was easy pickings--even on four drives whose previous owners had attempted to erase data, either by deleting files and emptying the recycle bin or by reformatting the disk. Those measures simply conceal the data from the operating system. Not surprisingly, the equipment's former owners were shocked to learn that strangers had accessed their information.

• "I went through my PC and thought I had thoroughly deleted everything," Curtin said of his old TriGem 486.

A Boston computer store sold us a drive previously owned by an accountant--and crammed with four years' worth of his clients' payroll and tax information and employee Social Security numbers.

The accountant said that his nephew, who worked at a computer store, had removed the drive while upgrading his old computer several months earlier. The accountant said that he never thought to ask his nephew what had become of the hard drive.

Similarly, a Salvation Army store in Cambridge, Massachusetts, sold us a PC that had once belonged to an attorney; it still contained bank account numbers, an active America Online account (and a stored password), and draft legal documents on its hard drive.

• "I most certainly never expected my personal information would ever be more than just that--personal," said the attorney.

He said his firm's IT consultant had promised to properly destroy the data.

Our samples confirmed the findings of a study conducted earlier this year at the Massachusetts Institute of Technology. Two graduate students, Simson Garfinkel (who is also a prolific technology writer) and Abhi Shelat, bought 158 drives on EBay and from online shops.

Of 129 drives that worked, 69 had recoverable files and 49 contained personal information, including 3,700 credit card numbers, medical data, and pornography. Only 12 of the usable drives had been properly purged.

"This is a serious problem," Shelat says. Businesses become vulnerable when they unwittingly share sensitive information. And individuals leave themselves open to identity theft, a potentially ruinous crime that the Federal Trade Commission received nearly 162,000 complaints about in 2002--almost double the 2001 total.

Resurrected Drives

Tossing your drives out with the trash is no guarantee that it--and your data--will find a quiet resting place in a landfill. And scavengers like those at the Needham Pit are only part of the picture. As more towns and cities ban PCs from their landfills, businesses are cashing in.

Computer Salvage of New England collects old PCs and cannibalizes them for parts that it then sells. Similarly, the city of Cambridge pays a recycling company called Onyx Environmental Services to haul off PCs left for curbside pickup. Onyx salvages the parts and resells them.

Research firm Gartner Dataquest reports that businesses and individuals took about 150,000 drives out of service in 2002. Meanwhile, reported incidents of data security compromised by improper disposal of unwanted PCs have increased exponentially, says Gartner research director Frances O'Brien.

• "Companies don't think twice about giving hard drives a simple reformat and handing the PCs out to employees, charities, or whoever else can save them a buck on disposal costs," O'Brien says.

The Files on Drives...Are They Deleted or Hidden?

Even when people reformat the drive, a motivated sleuth can retrieve data using tools such as Norton SystemWorks' Disk Editor or the free Disk Investigator.

We did this on a drive purchased at the Super Computer Sale (a traveling computer fair), and uncovered research, e-mail messages, and a log of Web sites visited by employees at Fairfax Financial Holdings of Ontario, Canada.

• "It shouldn't have happened," said Brad Martin, Fairfax's vice president of investor relations. "We are going to make sure that something like this never happens again."

Another drive we bought at the computer fair had no operating system. But we identified the previous owner--and extricated 20MB of data documenting activities unprintable in this magazine.

Being able to recover deleted data can be useful: Ask anyone who's ever accidentally trashed a file. Hard drive data can help nail criminals, says Tom Galligan, owner of Electronic Evidence Recovery of Tiverton, Rhode Island.

But honest PC users have a legitimate interest in destroying data when they discard an old PC. Curtin wishes he had been more careful with his old drive. "I'll never make that mistake twice," he says.


Learn more about WipeDrive.

Popular Articles

Don't Just Delete It


Erasing data from your hard drive - permanently

Identity Theft Articles

• Discarded Computers Feature Story - Inside Edition
  Discarded computers, containing Social Security and tax information easily found in thrift shops, even town dumps.
  
  
• Identity Theft Statistics - USA Today
  Identity theft statistics now show that one in four U.S. households has been a victim of identity theft in the past five years.
  
  
• Keystroke Logger Captures Students Information - Deseret News
  A sophisticated keystroke logger computer program secretly recorded every keystroke Brigham Young University students made in a campus computer lab.
  
  
• Take Caution as Phishing E-mails Increase - Daily Universe
  Unknown to many, more and more scammers are using the World Wide Web as a snare to go "phishing" and catch innocent, unsuspecting users.
  
  
• E-Mail Paranoia - PC World
  Phishing Scams - What is phishing? How do scammers "phish" for your personal information?
  
  
• 14 Tips to Avoid Identity Theft - Bankrate.com
  Identity thieves rob more than 500,000 Americans every year. Credit can be damaged, and fixing it can cost you hundreds of dollars and take hundreds of hours of your time. These steps will help you avoid identity theft.
  
  
• By Hook or By Crook: Internet Identity Theft Takes New Forms - Daily Universe
  Referred to by one expert as the next generation of phishing attacks, pharming is the latest development in a dangerous trend of Internet identity theft.
  
  
• 8 Signs You May Know an Identity Thief - MSN Money
  A big chunk of identity theft is committed by the victim's nearest and dearest - or at least someone the victim knows.
  
  
• Identity Theft Prevention Techniques - KSL
  Learn from convicted check fraud felons the schemes they use to steal your identity
  
  
• Permanently Erase Deleted Files - Law Enforcement Technology Magazine
  How hard is it to steal and use someone's personal identity? Find out how deleted files can expose you to fraud...
  
  
• File Deleted? Not Really - Deseret News
  You deleted a file, and then you emptied the recycle bin. But is it really gone?
  
  
• Purge Sensitive Data - Kiplinger
  Purge sensitive information from old PCs
  
  
• ID Theft - The #1 Growing Crime In The U.S. - Daily Universe
  Why ID theft is growing so rapidly, and what you can do to make sure you're not the next victim.
  
  
• Identity Theft News- Hacker Victim Offers Advice On Identity Theft - KSL
  Learn how this victim had his identity stolen and how to protect yourself.
  
  
• 12 Steps To Avoid Internet Phishing Scams - TechRepublic
  What is a phishing scam? Steps to avoid being victimized by phishing scams.
  
  
• Recognizing and Avoiding Spyware - US CERT
  Learn how to avoid, block, and remove spyware. Experts from the US Computer Emergency Readiness Team show you how to effectively remove spyware and prevent future problems.
  
  

Erase Your Hard Drive

• Hard Drives Exposed - PC World
  Properly sanitize a hard drive before giving away or reselling a computer requires only a small investment of time and an inexpensive disk-erasing tool.
  
  
• How to Effectively Erase Files - Cyber Security Tips
  Unless you have taken the proper steps to make sure the hard drive, disk, or CD is erased, people may still be able to resurrect those files.
  
  
• Permanently Erase Deleted Files - Law Enforcement Technology Magazine
  How hard is it to steal and use someone's personal identity? Find out how deleted files can expose you to fraud...
  
  
• File Deleted? Not Really - Deseret News
  You deleted a file, and then you emptied the recycle bin. But is it really gone?
  
  
• Hard Drives Dumped; Information Isn't - The Mercury News
  Whether you recycle your old computer, sell it, give it away or take it to the dump, you may also be giving away personal information, even if you think you erased everything on your hard drive.
  
  
• Lines of Defense - Utah Business Magazine
  Electronic privacy is somewhat of an oxymoron. Computers and networks typically are set up to share information, not to hog it. Unfortunately, that design makes it easy to lose control of sensitive data
  
  

Getting Rid of Your Old Computer?

Erased Hard Drives Can Bite You - USA Today
Imagine this chilling scenario: You buy a new PC and donate the old one to charity, knowing you've protected your privacy by deleting all your old files...Yet you later discover you're a victim of identity theft

Skeletons On Your Hard Drive - CNET News
Tax records, resumes, photo albums - the modern hard drive can keep increasingly larger volumes of information. But that can be a problem when it comes to effectively erasing the devices.

Protect Yourself Before Getting Rid of That Old Home Computer - NASA
Unless you take the proper precautions, getting rid of your home computer might be your personal introduction to one of the fastest growing crimes in America - Identity-theft.

Hard Drives Dumped; Information Isn't - The Mercury News
Whether you recycle your old computer, sell it, give it away or take it to the dump, you may also be giving away personal information, even if you think you erased everything on your hard drive.

Harvesting Old Hard Drives - The Associated Press
So, you think you have cleaned all your personal files from that old computer hard drive you are selling? A pair of MIT graduate students suggests you think again.

WipeDrive Can Take the Hard Drive Data Away - CRN
Formatting hard drive data on a PC does not totally erase hard drive data, according to CRN Test Center engineers. Many times files are not erased, leaving the previous owner or business institution vulnerable to an invasion of privacy.

File Deleted? Not Really - Deseret News
You deleted a file, and then you emptied the recycle bin. But is it really gone?

Hard Drives Exposed - PC World
Properly sanitize a hard drive before giving away or reselling a computer requires only a small investment of time and an inexpensive disk-erasing tool

Product Reviews

• Clear Your Hard Drive with WipeDrive 5 - Smart Computing
  Product Reviewed - WipeDrive
  
  
• Deleted But Not Gone - New York Times
  Product Reviewed - WipeDrive
  
  
• WipeDrive Product Review - Law Office Computing Magazine
  Product Reviewed - WipeDrive
  
  
• Lines of Defense - Utah Business Magazine
  Product Reviewed - WipeDrive
  
  
• File Deleted? Not Really - Deseret News
  Product Reviewed - WipeDrive
  
  
• Purge Sensitive Data - Kiplinger
  Product Reviewed - WipeDrive
  
  
• Don't Just Delete It - Smart Computing
  Product Reviewed - WipeDrive
  
  
• WipeDrive Can Take the Data - CRN
  Product Reviewed - WipeDrive
  
  
• Cool Tools - The Latest From the Lab - NetworkWorldFusion
  Product Reviewed - SecureClean
  
  
• SecureClean and WipeDrive - Government Computer News
  Products Reviewed - SecureClean and WipeDrive
  
  

Want to write a story about our company or products?

WhiteCanyon Media Relations Contacts

WhiteCanyon recognizes that the news media provide vital data to our customers. It is our policy to provide public information to reporters in a fair and impartial manner, and to make media relations consultants available to reporters to assist them in their mission.

For media inquiries only; other contact numbers can be found using the Contact Us link.

Sales Department
websales@whitecanyon.com
Orem
1.801.224.8900

NIAP Evaluation

WipeDrive has passed the “Initial Validation Oversight Review” for testing by the Nation Information Assurance Partnership (NIAP). NIAP is a United States government initiative to meet the security testing needs of both information technology consumers and producers that is operated by Nation Security Agency (NSA) and the Nation Institute of Standards and Technology (NIST). The Department of Defense requires all software used on military systems to be evaluated by NIAP to the EAL4 standard.

To request details please contact .

Air Force Approval

WhiteCanyon is proud to announce that the US Air Force has completed its internal evaluation and specifically recommends only WipeDrive for use to securely wipe all Air Force computer systems. WipeDrive is the only software wiping tool that has passed the Air Force’s rigorous testing and is on its Approved Products List (APL).

To request the report please contact

Humana

WhiteCanyon is proud to announce our latest WipeDrive Enterprise customer Humana.

Humana is a Fortune 100 company and the world’s largest HMO now uses WipeDrive exclusively.

While data security is important to all enterprises, with the advent of HIPPA it is particularly important in the Health Industry. An important factor in Humana’s decision in choosing WipeDrive was WipeDrive’s acceptance by the Department of Defense as being compliant with its strict security requirements.

Cash America

WhiteCanyon is proud to announce that Cash America, the largest chain of pawn stores in the US, is now using WipeDrive exclusively on all systems taken in on pawn. With more than 700 stores in North America, Cash America takes in thousands of computers each week.

Important in Cash America decision to choose WipeDrive was that WipeDrive is the only software wiping tool that allows you the choice to either wipe the drives securely and completely or, using its SystemSaver technology, to just securely wipe everything except systems and applications.

Using SystemSaver technology, Cash America can now not only wipe systems of personal and corporate data while keeping the Windows operating system and applications intact, but can create a list of all the software, memory, hardware etc. on the computer so the buyer and seller know exactly what is on each system. This technology has dramatically improved the sell-through of pawned systems by 35%.

Air Force Approval

WhiteCanyon is proud to announce that the US Air Force has begun its rigorous internal evaluation of WipeDrive for use on all Air Force computer systems. The evaluation is expected to be completed in December of this year.

WhiteCanyon's Client List

Our client list is rapidly growing and is full of many large and respected companies. See some of the companies that protect themselves with our technologies!