Theelectronics devicesfrom which the users undo and deliver in aspecific collection point or in a thrift store, they must follow a process ofdata deletionthat is not always done or done incorrectly, as denounced by the cybersecurity firmRapid7, which means that anyanother person who acquires that device can access the datathat stores, many of them private.
An experiment conducted by cybersecurity consultant Josh Frantz has revealed the amount of private and sensitive data that discarded electronic devices store. For this, Frantz came to acquire85 electronic devices in 31 second-hand storesfrom Wisconsin (United States) to later analyze them, as he explained in the Rapid7 blog.
With a budget of600 dollars(about 528 euros),bought 41 computers, 27 memory cards, 11 hard drives and 6 mobile phones. Once acquired, the consultant set out toextract the informationthat was in them. This process led him to analyze all the devices and store all his information in a USB; Of the 85 terminals analyzed, only one Dell computer and one Hitachi 20GB hard drive had been successfully deleted, andonly three computers were encrypted.
Among the information obtained by Frantz had214,019 images, 3,406 documents and 148,903 emails, from where they could be extracted611 email addresses, 50 birth dates, 55 Social Security membership numbers, 19 credit card numbers, 6 driver's license numbers and 2 passport numbers.
Most of the credit card numbers, as well as the two passports, were obtained from scanned images, as highlighted by the cybersecurity consultant.
Ensure the removal of data
At the end of this experiment, which took six months of work, the investigation revealed that users do not dedicatetime to data deletionand that many companies do not comply with their guarantee to erase the data of the devices that people give them.
Therefore, the author of the research advises that when you donate or sell any electronic device that will not be used anymore, it is necessarymake sure that all the information has been deletedand it can not be recovered.
Frantz explains that completely destroying the equipment, by incineration, acid or even thermite – an aluminum composition and a metal oxide that produces a pyrotechnic reaction – guarantees the elimination of the data. But without having to resort to such extreme measures, he assures that "normally it is enough" with "delete your device"
For this process, it is recommended to use DBAN to erase any type of hard disk. For solid state disks or multiple raid disks, you should use PartedMagic.