The largest probe to date of used devices supposedly scrubbed of their data found that 40 percent still retained some amount of personal information.
Conducted by the National Association of Information Destruction (NAID), the study examined a random sample of 258 smartphones, tablets and hard drives. NAID hired data security provider CPR Tools to analyze the devices. First announced in January, the study’s findings were released concurrent with the annual NAID conference last week.
The results showed 50 percent of the tablets, 44 percent of the hard drives and 13 percent of the mobile phones retained personally identifiable information after being wiped.
Despite the varying percentages, Bob Johnson, CEO of NAID, pointed to the relatively small sample size of each device type and explained the big takeaway is the overall trend that a substantial portion of disposed and wiped storage devices continue to contain personal information.
“The average person out there doesn’t think about these things, so it is a way to remind them that … this stuff is on this equipment,” he said in an interview. “It isn’t like the bad guys don’t know it’s there.”
All 258 devices used in the study were purchased by Johnson over the internet. He bought storage devices from eBay, Amazon, Newegg and other online marketplaces, buying just one or two from any single vendor in order to draw from a range of sources. The criteria included staying within a particular price range, and the hard drive had to be advertised as used and wiped of data.
Roughly two-thirds of the sources NAID purchased used devices from were commercial ventures, as opposed to an individual selling their own personal device.
CPR Tools went to work on the devices but did not analyze them as thoroughly as the testers could have. That was by design, Johnson said.
Some previous studies employed elaborate tactics to obtain data from supposedly wiped devices. The fact that some were completed in an academic research lab might give the impression one has to be a top tech expert to be able to access personally identifiable information on devices. That’s not the case, Johnson said.
“We specifically went to (CPR Tools) and we said, ‘Plug ’em in. We want you to find what an unsophisticated teenager could find using downloaded shareware,'” Johnson said. The goal was to communicate how easy it is even for fairly amateur data thieves.
A continuing trend
The concept of testing wiped devices goes back about 15 years, when a research team purchased 158 used hard drives and probed them for any remaining personal information. Since that research – which found a significant number of devices contained personally identifiable information even after being wiped – several studies have consistently elicited the same results.
With the new study, NAID aimed to raise further awareness. Although more and more companies are realizing the importance of proper IT asset disposition (ITAD) procedures, there is still a communication gap that leaves many consumers vulnerable.
John Shegerian, CEO of ERI, responded to the “eye-opening” findings this week, stating they serve as an “urgent warning of an ongoing threat to our national security and individual privacy as Americans.”
Not an indictment
Johnson made clear NAID does not view the results as reflecting poorly on the industry as a whole.
“It’s really not an indictment of the process, nor an indictment of reputable service providers. It’s more that people are not paying attention to the qualifications of service providers they’re putting (devices) through,” Johnson said.
Shegerian agreed, noting “the problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.”
In the initial announcement that NAID would conduct the study, the organization said it would aggregate the data to avoid publicly shaming any ITAD firms. But if regulators took interest, NAID said it would offer the full findings to the government. So far, it hasn’t heard from any enforcement authorities, Johnson said.
“If health information turns up on a hard drive, some covered entity violated the security rule in HIPAA, and it’s not like you don’t know who they are – you’ve got their hard drive,” Johnson said. “Every instance where personally identifiable information was found, there is a violation of law.”
While it will ultimately be up to NAID’s board of directors, Johnson said he hopes the study becomes a continuing project to chart trends over the years.