Hard Drives Exposed
Published: May 01, 2003
By Tom Spring
PC World Magazine
It's a chilly March Saturday at the Pit, a concrete holding pen for abandoned computer parts and drives at the Needham, Massachusetts, town dump. Nearby, three locals wait patiently in their idling cars.
An SUV pulls up. Driver James Curtin grabs an old PC from the back and puts it into the Pit alongside other drives, CRT monitors, and old computer chassis. Slowly the other men exit their cars and walk toward the discarded computer--one with a screwdriver in hand.
For these PC scavengers, the Pit is a gold mine for drives, memory chips, processors, and other components that they use to build PCs on the cheap. But they also routinely find something else: business and personal data that prior owners have left on discarded drives.
"[On] almost every hard drive I pull, I'll find a tax return or a resume," says David Burns, who describes himself as a Needham regular.
The lesson for PC users? Old drives don't always die--or fade away. Often they are salvaged and reused in other computers. And when that happens, the drive data and sometimes-grimy secrets of previous users go with them.
Properly sanitizing a drive before giving away or reselling a computer requires only a small investment of time and an inexpensive disk-erasing tool. But many people don't even do minimal cleanup.
An examination of ten drives we bought or salvaged in the Boston area disclosed a wealth of sensitive data. On all but one of them, we found data, including confidential business, medical, and legal records; Social Security, credit card, and bank account numbers; e-mail; and even pornography.
Most of the information was easy pickings--even on four drives whose previous owners had attempted to erase data, either by deleting files and emptying the recycle bin or by reformatting the disk. Those measures simply conceal the data from the operating system. Not surprisingly, the equipment's former owners were shocked to learn that strangers had accessed their information.
"I went through my PC and thought I had thoroughly deleted everything," Curtin said of his old TriGem 486.
A Boston computer store sold us a drive previously owned by an accountant--and crammed with four years' worth of his clients' payroll and tax information and employee Social Security numbers.
The accountant said that his nephew, who worked at a computer store, had removed the drive while upgrading his old computer several months earlier. The accountant said that he never thought to ask his nephew what had become of the hard drive.
Similarly, a Salvation Army store in Cambridge, Massachusetts, sold us a PC that had once belonged to an attorney; it still contained bank account numbers, an active America Online account (and a stored password), and draft legal documents on its hard drive.
"I most certainly never expected my personal information would ever be more than just that--personal," said the attorney.
He said his firm's IT consultant had promised to properly destroy the data.
Our samples confirmed the findings of a study conducted earlier this year at the Massachusetts Institute of Technology. Two graduate students, Simson Garfinkel (who is also a prolific technology writer) and Abhi Shelat, bought 158 drives on EBay and from online shops.
Of 129 drives that worked, 69 had recoverable files and 49 contained personal information, including 3,700 credit card numbers, medical data, and pornography. Only 12 of the usable drives had been properly purged.
"This is a serious problem," Shelat says. Businesses become vulnerable when they unwittingly share sensitive information. And individuals leave themselves open to identity theft, a potentially ruinous crime that the Federal Trade Commission received nearly 162,000 complaints about in 2002--almost double the 2001 total.
Tossing your drives out with the trash is no guarantee that it--and your data--will find a quiet resting place in a landfill. And scavengers like those at the Needham Pit are only part of the picture. As more towns and cities ban PCs from their landfills, businesses are cashing in.
Computer Salvage of New England collects old PCs and cannibalizes them for parts that it then sells. Similarly, the city of Cambridge pays a recycling company called Onyx Environmental Services to haul off PCs left for curbside pickup. Onyx salvages the parts and resells them.
Research firm Gartner Dataquest reports that businesses and individuals took about 150,000 drives out of service in 2002. Meanwhile, reported incidents of data security compromised by improper disposal of unwanted PCs have increased exponentially, says Gartner research director Frances O'Brien.
"Companies don't think twice about giving hard drives a simple reformat and handing the PCs out to employees, charities, or whoever else can save them a buck on disposal costs," O'Brien says.
The Files on Drives...Are They Deleted or Hidden?
Even when people reformat the drive, a motivated sleuth can retrieve data using tools such as Norton SystemWorks' Disk Editor or the free Disk Investigator.
We did this on a drive purchased at the Super Computer Sale (a traveling computer fair), and uncovered research, e-mail messages, and a log of Web sites visited by employees at Fairfax Financial Holdings of Ontario, Canada.
"It shouldn't have happened," said Brad Martin, Fairfax's vice president of investor relations. "We are going to make sure that something like this never happens again."
Another drive we bought at the computer fair had no operating system. But we identified the previous owner--and extricated 20MB of data documenting activities unprintable in this magazine.
Being able to recover deleted data can be useful: Ask anyone who's ever accidentally trashed a file. Hard drive data can help nail criminals, says Tom Galligan, owner of Electronic Evidence Recovery of Tiverton, Rhode Island.
But honest PC users have a legitimate interest in destroying data when they discard an old PC. Curtin wishes he had been more careful with his old drive. "I'll never make that mistake twice," he says.
Learn more about WipeDrive.Tagged:
data erasure, privacy protection, computer disposal