Companies are still selling on old hard drives without taking the slightest precaution to wipe business-sensitive data first, a study has found.
The BT-funded research, carried out by the University of Glamorgan in Wales, analysed 317 hard drives purchased second-hand in the UK, Australia, Germany and the US.
About 35- to 40-percent of these turned out to come from businesses, 23 percent of which contained enough information to identify the specific company that had owned them, using only off-the-shelf analysis tools. A shocking five percent held sensitive business information.
A further 25 percent came from individuals, while the remainder could not be identified. Researchers found many hard drives choc-full of porn, and even had to refer two hard drives to the police for suspected paedophile crimes.
The study - a follow-up to an almost identical one conducted on behalf of BT last year - found that the treatment of hard disks had barely improved since then, said Dr Andy Jones, head of Security Technology Research at BT.
“We’ve seen a huge increase in corporate governance. This is a measurable metric of how well companies are doing in implementing all this security,” said Jones.
The main problem was that “once an organisation disposes of assets, it gives up ownership or responsibility,” he said. “How much are you going to invest cleaning something that is only worth £5-£10?”
The disks were bought from a random selection of auction sources. Of the countries surveyed, the UK did relatively well by the admittedly low standards of data security uncovered.
A quarter of the 200 hundred drives that came from the country had been competently wiped.
Many others simply had files deleted in Windows or had reversible processes such as disk formatting applied to them.
Overall, four out of ten drives bought second-hand didn’t even work, suggesting that petty fraud afflicts the second-hand drive market as much as lax data security.
The full report is not available online, but will be published this October in the quarterly Journal of Digital Forensics, Security and Law, which has its own website.
Another issue identified by Jones was the quality of disk wiping tools available to the general public and company IT staff alike – many of them did not work well, researchers found.