Two-thirds of second-hand memory cards still contain previous owners' data

Camera and memory cards

According to new research from the UK's University of Hertfordshire, two-thirds of memory cards on the second-hand market still contain data belonging to the previous owner, putting their privacy and security at risk.

Even if you've formatted your card or erased its contents, the data may still be easily recoverable using free consumer software.

The university's researchers studied 100 used SD and microSD cards purchased from eBay, second-hand shops, conventional auctions and other sources over a four-month period. They made a virtual copy of each card, then used regular data recovery software to retrieve the previous owners' files.

The results were alarming, with intimate photos, selfies, GPS data, scans of ID documents and contact lists all there for the taking.

Of the 100 cards analyzed, 36 hadn't been wiped at all before being sold. Another 29 had been formatted, and two had their data deleted, but it was all easily recoverable.

Only 25 cards had been properly erased using a program that overwrites files multiple times, making them irretrievable. Four of the cards were broken, and four more were blank.

Formatting isn't enough

“This research uncovers the prevalence of second-hand memory cards providing a rich source of sensitive data, that could easily be misused if a buyer so wished," said Professor Andrew Jones, the University of Hertfordshire's professor of cyber security.

"Despite the ongoing media focus on cybercrime and the security of personal data, it is clear from our research that the majority are still not taking adequate steps to remove all data from memory cards before sales."

Professor Jones said sat-nav data is particularly sensitive. Not only can it be used to determine where a person lives, it can also reveal where they work, and the whereabouts of their families and friends.

“As exemplified in this report, often the problem is not that people don't wipe their SD cards; it's that they don't do it properly," added Paul Bischoff, privacy advocate for tech service comparison site Comparitech, which commissioned the research. 

"Simply deleting a file from a device only removes the reference that points to where a computer could find that file in the card memory. It doesn't actually delete the ones and zeros that make up the file. That data remains on the card until it is overwritten by something else.

"For this reason, it's not enough to just highlight all the files in a memory card and hit the delete key. Retired cards need to be fully erased and reformatted."