Security firm Secarma recovers data from drives bought on eBay

Formatting hard drives does not delete data, security firm Secarma has warned after recovering data from recycled drives bought on eBay

Formatting hard drives does not necessarily delete data stored on them, a security firm has warned.

Secarma issued the warning to businesses after recovering personal data – including passwords and login information – from erased and formatted hard drives bought online.

The security firm, an arm of cloud and colocation specialist UKFast, was invited by BBC Radio show Naked Scientists to investigate the security of recycling hard drives.

This practice is common for environmentally conscious businesses, but the investigation found that, despite users password-protecting and deleting data archives from hard drives they sold on, sensitive data was still recoverable.

For the investigation, Secarma searched eBay for a hard drive that was "preformatted ready to use".

Read more about data deletion

“The label ‘formatted’ gets used so loosely in technology that people don’t fully understand its true definition, misinterpreting it to mean ‘deleted’ and gone forever,” said Stuart Coulson, a  cyber security expert at Secarma.

“Unfortunately this isn’t entirely true, as a quick recovery uncovered hundreds of student and dissertation data from a humanities college,” he said.

Secarma extracted data from the drives bought on eBay using off-the-shelf recovery software. The data retrieved included student user login details and links to coursework from the preformatted hard drive.

“Businesses should heed the warning that 'formatted' does not mean 'erased forever’, as they could be inadvertently sharing confidential corporate data, or worse, client data which it is their duty to protect,” said Coulson.

Firms looking to remain environmentally friendly by recycling or reselling old drives should use computer recycling and disposal services that will provide a Certificate of Destruction, Coulson said.

Article 7 of the Data Protection Act (DPA) requires all owners of data to ensure the appropriate protocol is put in place when deleting data.

The Information Commissioner’s Office (ICO), which enforces the DPA, imposed one of the biggest monetary penalties to date on the Brighton and Sussex University Hospitals Trust after highly sensitive personal data of patients and staff was discovered on hard drives sold on eBay in October and November 2010.

Read more on Privacy and data protection