A recent study states that 40% of of used digital devices still contained personal information from previous owners.
This should be a worrying figure for anyone who works with sensitive personal, financial, or medical information in their organization. It should be even more worrying for those who fall under security or privacy compliance requirements.
The reports goes on to state that the sensitive information was recovered not using sophisticated forensics tools, but freely downloadable software. The nature of digital data and storage mechanisms makes it easy for a lightly skilled person with limited funds to pick up used equipment and harvest your sensitive information to sell on the dark web.
We would all rather see our used computers, phones, and other digital devices get a second life rather than be dumped in a landfill somewhere. So what can we do to protect ourselves while recycling our systems?
First, any business or organization should have a requirement to sanitize any devices before selling, donating, or disposing of them. Next, that organization should have processes defined for accurate and repeatable sanitization of all device types in use.
For computers and laptops, the hard drive or solid-state drive is the key. You have two choices: digitally wipe the drives or physically destroy them. You can do the first yourself. Programs like Darik’s Boot and Nuke (DBAN) and Parted Magic allow you to create a bootable CD or flash drive and wipe a drive while it’s in the computer. DBAN is free and works with magnetic hard drives only (the ones with spinning platters). Parted Magic works with both magnetic hard drives and newer solid-state drives. Both applications work by overwriting every individual bit of data on the drive. You can do this once or multiple times. Most people recommend at least a 3-pass wipe, but the US Department of Defense mandates a 7-pass wipe for it’s unclassified systems.
You may also choose to destroy the drives. This choice is often taken by organizations that don’t want to deal with digitally wiping drives. Many times when you see larger organizations selling or auctioning old computers, they will do so without the storage drives. The buyer must add a storage drive back to the system for it to be usable. These organizations have chosen to physically destroy rather than digitally wipe. Organizations can contract with companies such as Shred-It or Gone for Good to perform the physical destruction.
Other programs such as Eraser allow you to overwrite individual files on systems that are still in use without wiping the entire drive. This type of program is also well suited to sanitize USB flash drives and removable media cards such as SD, Compact Flash, and Memory Stick.
When it comes to phones, the process is less well known. All storage on iPhones is encrypted by default. Because of this, Apple only recommends that you use the built-in “Erase All Content and Settings” functionality. For Android phones, the process is a little more complex (but not much). Since Android phones don’t ship with hardware-level encryption, you are probably using it without encrypting your data. Start by enabling encryption on your Android phone or tablet. This will take some time to complete, but will ensure that your data is not directly readable in the clear. Once it’s encrypted, you can then reset your device to factory settings. This only performs a “lazy” deletion of files, but the previous encryption step is what protects you. Once the encryption key is deleted, the rest of the data is unusable. If you’d like a little more certainty with your Android, you can always sync a few large videos to overwrite previous data or download a wipe or shredder type program from the Google Play store.
Business owners and decision makers, do you have requirements and processes to ensure every device you sell, donate, or dispose is not threatened by data theft? Could your sensitive data be recovered and sold to criminals? Would this part of your compliance requirement stand up to scrutiny?
If you are unsure or know you need help, feel free to email (firstname.lastname@example.org) or call (501-590-3278) us.