Font Size

ICO report finds many people becoming a Soft Touch for online fraudsters

 By

The Information Commissioner’s Office

Computer/Internet/Software Articles
Submit Articles   Back to Articles

News release 25 April 2012

The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance (see Annex A) to help individuals securely delete personal information from their old devices.

An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else.

In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet.

The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible.

In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details.

All four organisations were contacted and have now taken action to ensure people’s information is securely deleted from redundant equipment, or the equipment is destroyed as necessary. One company – Safe and Secure Insurances Services Limited – have also signed an undertaking to introduce further improvements.

Announcing the outcome of today’s report, Information Commissioner, Christopher Graham said:

“We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands. Today’s findings show that people are in danger of becoming a soft touch for online fraudsters simply because organisations and individuals are failing to ensure the secure deletion of the data held on their old storage devices.

“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.

“The ICO has published guidance to help individuals securely delete information stored on their old devices. We hope this publication will help people to take better control of their personal data.”

We have also published a survey to coincide with the research project looking at people’s attitudes towards data disposal. The survey shows that 65% of people now hand on their old phones, computers and laptops to another user with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else.. This figure rises to 31% of 18 – 24 year olds selling their mobile phone, computer or laptop to somebody else.

The survey also found that an alarming one in ten people who have ever disposed of a mobile phone, computer or laptop, said that they had never deleted information held on a device before disposing of it, potentially allowing their data to be accessed by the next person who used it.

Getting rid of your computer? Laptops, mobile phones and other devices may contain personal information that you wouldn’t want others to see, such as passwords and credit card information.

It’s important to properly delete any personal information before you sell or dispose of your hardware, so that it cannot be accessed by anybody else either by mistake or for malicious purposes.

Personal data can be stored on any device with a permanent memory, including desktop and laptop computers, external hard drives, games consoles, mobile phones, tablets, faxes, printers, and removable memory such as that found in digital cameras. When deciding what to do, consider the type of media the data is stored on and whether or not this is easily accessible.

Options for secure deletion

Pros

Cons

Physical destruction

This involves physically destroying the media so that it can no longer be used.

Once destroyed, data on the media will not be recoverable except using specialist, expensive equipment.

You can do this without specialist equipment.

If you can remove the media you can destroy it separately and leave the device intact.

This is a good method of destruction for removable media such as CDs and DVDs.

You will have to replace the destroyed media with a new storage facility if you want to use the device again.

If you are not able to remove the media from the device you will have to destroy the device itself.

Removing the media may invalidate the warranty.

Fragment particles raise health, safety and environmental concerns. Consider specialist help for devices with hazardous elements eg mobile phones and batteries.

Secure deletion software

This involves using software to overwrite data one or more times.

Simple and cheap.

The media can be reused once the overwriting is complete.

Large drives may take some time to overwrite multiple times.

Ineffective on some media such as write-once CDs.

It may be difficult or impossible to remove the media from the device.

Restore to factory settings

Many devices offer a function to ‘Restore to factory settings’. This will return the device to the state in which you bought it.

Can be used on devices which do not have removable or otherwise accessible storage media.

This method relies on the device manufacturer to have implemented a secure wiping stage into the factory reset process.

You should check with the device manufacturer to determine if this is sufficiently secure.

Send to a specialist

There are many organisations which will securely delete data from a range of devices and types of media. These organisations will destroy or overwrite your data on your behalf.

A specialist organisation may be able to return, reuse or recycle your media or device after they have securely deleted your data.

You will need to check the organisation’s processes to be sure that your data will be securely deleted.

If you can, you should perform another secure deletion method or at least a ‘restore to factory settings’ before you send a device to a specialist organisation.

Formatting

Formatting media recreates the data structures and file system.

A full format can be used in conjunction with overwriting to provide further assurance that data cannot be recovered.

A reformat is not sufficient to securely delete data because the data can be easily recovered using freely available software.

Where will I find my data?

Desktop and laptop computers will have a hard drive inside where your data is stored. Above you'll see some common types of hard drives found in PCs and laptops.

Don’t forget that you may have personal data stored on other memory types such as USB drives, CDs and DVDs and SD cards (eg in a camera or mobile phone).

My data is in the cloud. How to I delete this securely?

Securely deleting data from the cloud or other remote storage service cannot be achieved by you running overwriting software. You should contact your cloud provider to see what service they offer to securely delete the data.

Where do I get overwriting software from?

Software products which can perform the secure deletion of data are available from IT security firms. There are also other software products (often free) which you can download and use. However, when obtaining software from the internet you should make sure this comes from a reputable source and that you review evidence that the software has been tested against the claims that it makes.

I cannot decide between physical destruction and overwriting.

In choosing between physical destruction and overwriting, the main point to consider will be whether or not you want to use the media again. Physical destruction will completely destroy the media so it is only appropriate if you are sure that you do not want to use it again.

Can I get someone else to securely delete data from my equipment?

Yes. If you are not confident in performing the deletion yourself you can get assistance from a professional who has experience in this area.

Notes

Full copies of the guidance and corresponding report and survey will be published on the front page of the ICO website (www.ico.gov.uk) once the embargo has been lifted.

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.gov.uk.

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. All survey figures, unless otherwise stated, are from YouGov Plc. Total sample size was 2031 adults. Fieldwork was undertaken between 22nd - 24th February 2012. The survey was carried out online. The figures have been weighted and are representative of all GB adults (aged 18+).


About the Author

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.

The ICO enforces and oversees the following legislation:

  •  Data Protection Act 1998
  •  Freedom of Information Act 2000
  •  Privacy and Electronic Communications Regulations 2003
  •  Environmental Information Regulations 2004


Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2012-05-08 11:39:34 in Computer Articles

All Articles

Copyright © 2004-2019 Scopulus Limited. All rights reserved.