Most HDDs Purchased Online Contain Personal Data – Ultratec

Ultratec Ltd., UK’s data security solution service provider, announced the startling results of its independent survey, carried out by the University of South Wales‘ Computer Forensics Lab.

The investigation reveals that most HDDs purchased online contained personal data.

Ultratec specialises in erasing or destroying data from all types of electronic media. In the wake of a £200,000 fine levied against NHS Surrey by data regulators for the loss of more than 3,000 patients’ sensitive information, it commissioned Professor Andrew Blythe and his team at the Computer Forensics Lab, University of South Wales to find out if HDDs purchased online contained any data. The point of the study was to assess consumer and seller awareness levels in the wake of a number of high-profile data security scandals involving both public and private organisations.

The study found that although most consumers are more aware of the risks associated with data security, many companies offering products on auction sites are still ignoring the potential consequences and selling HDDs containing personal and/or corporate data.

The Ultratec investigation targeted IT parts resellers and recyclers who use online auction sites to sell their drives or computers. Some drives were purchased as having been wiped or erased and others were purchased as defective.

Each HDD was examined by Professor Andrew Blyth and his team at the University of South Wales. Ultratec describes the results as shocking with the study demonstrating that even HDDs which have been allegedly ‘wiped’ still contained personal and sensitive data.

Professor Blythe said: "Ultratec, considered by many to be leaders in the field of data destruction, commissioned an independent study in 2012 to find out if HDDs purchased online contained any data. We approached Ultratec as they have demonstrated how to correctly destroy data on millions of disks over a 17 year period. This is something that cannot be taken lightly and we wanted to see if others had the same expertise, commitment and results.

Ultratec’s information assurance consultant Bill Osborne, who is on the advisory council of the Asset Disposal and Information Security Alliance (ADISA) is one of a group of experts in the area of risk management, compliance and data protection within the area of IT Asset Disposal.

He said: "There is no doubt that this investigation has thrown up some very troubling findings. It highlights the very real threat of data security and shows that there is still a long way to go until sensitive data removal is approached correctly by the majority."

The report into the investigation’s findings states: "There appear to be a number of disks containing a mixture of corporate and personal data. This suggests that either the user is working on corporate data on a home system, which raises security issues, or the user is carrying out personal activities on corporate systems, which could also raise concerns. For example 6 of the 125 HDDs contained pornographic material but of the 6 HDDs, one could be determined as originating from a corporate environment."

The Ultratec report is part of an international effort to raise awareness about the importance of data security and will be published in full later this year. Its efforts come on the back of an increased international push to reduce data offences and safeguard sensitive information. In the UK, the Information Commissioner is currently seeking custodial sentences for serious data offences and potential fines of up to 2% of global turnover after stating that the current cap on fines of £500,000 is not sufficient and tougher penalties including prison sentences are needed. The custodial sentences, first introduced by the Criminal Justice and Immigration Act 2008, require activation by secondary legislation. This is expected to be debated following the recent Directive on Network and Information Security proposed by the EU.

The full report will be published later this year.