Why you must Securely Erase your Drive before Selling

According to a recent study, huge amounts of personal data is still recoverable on second hand drives for sale on eBay. If you’re selling your hard drive or solid-state drive, make sure your personal data is actually deleted!

Blancco Technology Group, a Finnish company that specialises in secure erasure of data from storage devices, purchased 159 second hand hard disk drives and solid-state drives from eBay in the UK, Germany, Finland and the US in September and October 2018 – and 42% (a total of 66 drives) contained data from the previous owner that was easily accessible using data recovery software. Blancco also found personal data identifying the previous owners of 15% (25 in total) of the drives they examined. Even more worrying is what some of the hard drives contained. One belonged to an ex-government official, containing scanned birth certificates, CVs and images of passports. Another drive had archived emails from a well-known travel business. One drive even belonged to a school, containing photos and documents pertaining to pupils. Drives belonging to a hospital – containing test footage of recording equipment that identified the location – as well as 3GB of data from a cargo/freight company, was also discovered. Each of the sellers was confident that the correct data sanitisation methods were adhered to, and that no data had been left behind on the drives. Most of the drives that were analysed had simply been formatted, proving that formatting doesn’t mean permanently wiping; we’ve previously written about data recovery from a formatted drive.

Personal and business data is a goldmine for a potential cybercriminal. It isn’t like it takes a great deal of expertise to recover data from a drive that has simply undergone a low-level format, which only removes the file index. Business information could be used to steal customers and make a profit, or potentially be used to blackmail the original owner. Likewise, personal data like scans of passports and birth certificates could be used to steal the original owner’s identity. In order to ensure the next owner of your hard drive or solid-state drive can’t access your data, you need to follow the correct data sanitisation procedure. Sanitisation is the process by which you securely erase all traces of data from a storage device, beyond simply dragging and dropping it to the Recycle Bin or Trash, or formatting. Default commands – like Disk Management on Windows or Disk Utility on Mac OS X – only remove the index entry, or pointer to the data. From the file system’s point of view, the file is gone, and the sectors are allocated as free space for additional data to be written over them. Only by overwriting the space where the previous data was stored will ensure the old data is unrecoverable, and there are loads of data recovery programs out there that can recover data that has only been deleted. We recommend using data sanitisation software like Darik’s Boot and Nuke, or DBAN, which is freeware. You can read in more detail about securely erasing a drive here.

Data Recovery