Consumers Donate Data with Recycled Electronics
With the rapid turnover of technology, many consumers willingly trade in, sell or donate their old electronics, often times without ensuring that all of their data has been wiped clean, according to new findings from Rapid7.
In a recent experiment conducted by Rapid7’s Josh Frantz, nearly every device he analyzed contained some form of personally identifiable information (PII) left over from its previous owner. Over the span of six months, Frantz looked at a collection of recycled consumer electronics, including laptops, smartphones and external drives. Even though many thrift shops claimed to wipe devices before reselling them, the devices contained such information as passwords, social security numbers and banking information.
In total, Frantz found 41 social security numbers, 19 credit card numbers and two passport numbers among a trove of additional PII. Additionally, he extracted 147,000 emails and 214,000 images. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs. I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here,” Frantz wrote in today’s report.
According to the findings from Frantz’s months-long experiment, not only are the thrift shops not holding up their end of the bargain, but consumers are also turning in devices without wiping them clean, an obvious recipe for disaster. Of the 85 devices analyzed, only two of them were properly erased and a mere three were encrypted.
Given the ease with which these types of data can be accessed and sold, Frantz found that the value of the data itself has dropped to less than $1 per record on the dark web.
“Realistically, unless you physically destroy a device, forensic experts can potentially extract data from it. If you’re worried about potential data exfiltration, it’s best to err on the side of caution and destroy it. However, wiping your device is usually enough, and can be a very easy and relatively painless process,” Frantz said.
This article appeared in InfoSecurity magazine.