A whopping two-thirds of secondhand USB drives contain recoverable data from the previous owner, including some highly sensitive and personal information, according to a new study.
The study, done by the University of Hertfordshire and commissioned by Comparitech, said almost 70 percent of secondhand USB flash drives sold in the U.S. and U.K. still contain recoverable data from their previous owners. Researchers purchased 200 USB memory sticks – 100 in the US, 100 in the UK – from eBay, secondhand shops, and traditional auctions, Comparitech said.
Of the 100 drives purchased in the U.S., 64 had data deleted but it could easily be recovered. The corresponding number was 47 for the U.K.
“Researchers discovered a wide range of intimate, private, and sensitive files,” Paul Bischoff, a privacy advocate who writes for Comparitech.com, said. That includes nude photos, business documents, ID scans, job applications, wage slips, private memos, tax statements, receipts, and medical documents.
Details of some of the more notable recovered data includes:
- Nude images of a middle-aged man along with name and contact details.
- A collection of photos of bundles of money and shotguns.
- Documents containing the stock exchange dealings of a trader along with a passport.
- Wage slips and tax statements with name, address, and contact details.
- A resume and filled-out tax form with full name and address.
The data recovered from secondhand USB drives could be exploited for phishing, identity theft, and extortion, Comparitech said.
“One of the criteria that the study applied to the recovered data was to ask ‘would this data be of value to a cybercriminal?'” Andrew Jones from the Cyber Security Centre at the University of Hertfordshire said. “If a person can be identified in sufficient detail — name, address, email, phone number — then this information has potential value to a criminal for identity theft."
Onus on USB drive owners
Jones said that data does not go away when you simply delete it or do a high-level format. And the onus is on the USB drive owner to make sure the data is not recoverable.
"Most people still believe that a simple delete will destroy the data and that is all they need to do," Jones told Fox News via email.
"Media that has had a high-level format (quick format) is still vulnerable as the process does not overwrite the media. If a low-level format is undertaken then it does an effective job, but most people do not use it as it takes significantly longer than the quick format," he added.
There are a number of tools already freely available, such as media wiping tools, encryption and formatting of media that will help completely erase data.