A new report from Abertay University has exposed how widespread the security risks are when selling used storage devices. The research (opens in new tab), led by student James Conacher, found 75,000 ‘deleted’ files were easily recovered from second-hand USB drives and SSDs purchased online.
Although 98 out of the 100 purchased storage devices appeared to be empty, in reality, only 32 had been properly wiped. With publicly available tools, it was possible to extract partial files from 26 of the drives, while every file was retrieved from the remaining 42 devices.
Among the files recovered was highly sensitive information, including bank statements, passwords and tax returns.
- The best free cloud storage (opens in new tab) service available today
- Our list of the best portable SSDs (opens in new tab) on the market
- Also, check out our list of the best cloud backup solutions (opens in new tab)
“An unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread,” Professor Karen Renaud from Abertay University’s Division of Cybersecurity explained.
“They would likely be able to find a seller’s e-mail address from the files we found on the drive. They could try to siphon money from the bank accounts or even blackmail a seller by threatening to reveal embarrassing information.”
While it may appear that deleting files is a straightforward process, it is actually a little bit more complicated. When most computers ‘delete’ files, what they actually do is simply remove them from the viewable index. Easily available forensic tools can then be used to recover them.
Bespoke software is available for anyone looking to permanently delete files and this is highly recommended for anyone looking to sell an old USB drive. If, on the other hand, you just want to throw the drive away, it is best to destroy it with a hammer before chucking it in the bin.
Interestingly, the Abertay research team did not find any malware across the 100 drives, suggesting that although the risk to sellers of old storage devices is high, buyers are likely to be fine.
- Also, check out our roundup of the best file recovery software (opens in new tab)