ICO report finds many people becoming a Soft Touch for online fraudsters
Submit Articles Back to Articles
News release 25 April 2012
Commissioner’s Office (ICO) is urging consumers to take better care of
their data, following an investigation into the trade in used hard
drives. The ICO has published new guidance (see Annex A) to help
individuals securely delete personal information from their old
by the ICO found that one in ten second-hand hard drives sold online
may contain residual personal information. An ICO survey also found
that 65% of British adults now hand on their old phones, computers and
laptops to another user, with 44% giving it away to somebody else for
free and around one in five (21%) selling it to somebody else.
2010, the ICO asked a computer forensics company – NCC Group – to
source around 200 hard drives, 20 memory sticks and 10 mobile phones.
The devices were mainly bought online from internet auction sites and
some were sourced at computer trade fairs. The devices were then
searched, initially without any additional software, and then
interrogated using forensic tools freely available on the internet.
found that, while 52% of the hard drives investigated were unreadable
or had been wiped of data, 48% contained information and 11% was
personal data. The amount of personal data found on the mobile phones
and memory sticks was negligible.
In total 34,000
files containing personal or corporate information were recovered from
the devices. At least two of the hard drives contained enough
information to enable someone to steal the former owner’s identity. The
residual documents included scanned bank statements, passports,
information on previous driving offences, and some medical details. A
further four hard drives contained information about the employees and
clients of four organisations, including individuals’ health and
organisations were contacted and have now taken action to ensure
people’s information is securely deleted from redundant equipment, or
the equipment is destroyed as necessary. One company – Safe and Secure
Insurances Services Limited – have also signed an undertaking to
introduce further improvements.
outcome of today’s report, Information Commissioner, Christopher Graham
“We live in a
world where personal and company information is a highly valuable
commodity. It is important that people do everything they can to stop
their details from falling into the wrong hands. Today’s findings show
that people are in danger of becoming a soft touch for online
fraudsters simply because organisations and individuals are failing to
ensure the secure deletion of the data held on their old storage
will presume that pressing the delete button on a computer file means
that it is gone forever. However this information can easily be
“The ICO has
published guidance to help individuals securely delete information
stored on their old devices. We hope this publication will help people
to take better control of their personal data.”
We have also
published a survey to coincide with the research project looking at
people’s attitudes towards data disposal. The survey shows that 65% of
people now hand on their old phones, computers and laptops to another
user with 44% giving it away to somebody else for free and around one
in five (21%) selling it to somebody else.. This figure rises to 31% of
18 – 24 year olds selling their mobile phone, computer or laptop to
The survey also
found that an alarming one in ten people who have ever disposed of a
mobile phone, computer or laptop, said that they had never deleted
information held on a device before disposing of it, potentially
allowing their data to be accessed by the next person who used it.
Getting rid of your computer? Laptops,
mobile phones and other devices may contain personal information that
you wouldn’t want others to see, such as passwords and credit card
It’s important to properly delete any
personal information before you sell or dispose of your hardware, so
that it cannot be accessed by anybody else either by mistake or for
Personal data can be stored on any device
with a permanent memory, including desktop and laptop computers,
external hard drives, games consoles, mobile phones, tablets, faxes,
printers, and removable memory such as that found in digital cameras.
When deciding what to do, consider the type of media the data is stored
on and whether or not this is easily accessible.
Options for secure deletion
This involves physically destroying the
media so that it can no longer be used.
Once destroyed, data on the media will not
be recoverable except using specialist, expensive equipment.
You can do this without specialist equipment.
If you can remove the media you can destroy
it separately and leave the device intact.
This is a good method of destruction for
removable media such as CDs and DVDs.
You will have to replace the destroyed media
with a new storage facility if you want to use the device again.
If you are not able to remove the media from
the device you will have to destroy the device itself.
Removing the media may invalidate the
Fragment particles raise health, safety and
environmental concerns. Consider specialist help for devices with
hazardous elements eg mobile phones and batteries.
Secure deletion software
This involves using software to overwrite
data one or more times.
Simple and cheap.
The media can be reused once the overwriting
Large drives may take some time to overwrite
Ineffective on some media such as write-once
It may be difficult or impossible to remove
the media from the device.
Restore to factory settings
Many devices offer a function to ‘Restore to
factory settings’. This will return the device to the state in which
you bought it.
|Can be used on
devices which do not have
removable or otherwise accessible storage media.
This method relies on the device
manufacturer to have implemented a secure wiping stage into the factory
You should check with the device
manufacturer to determine if this is sufficiently secure.
Send to a specialist
There are many organisations which will
securely delete data from a range of devices and types of media. These
organisations will destroy or overwrite your data on your behalf.
organisation may be able to
return, reuse or recycle your media or device after they have securely
deleted your data.
You will need to check the organisation’s
processes to be sure that your data will be securely deleted.
If you can, you should perform another
secure deletion method or at least a ‘restore to factory settings’
before you send a device to a specialist organisation.
Formatting media recreates the data
structures and file system.
A full format can be used in conjunction
with overwriting to provide further assurance that data cannot be
|A reformat is
not sufficient to securely
delete data because the data can be easily recovered using freely
Where will I find my data?
Desktop and laptop computers will have a
hard drive inside where your data is stored. Above you'll see some
common types of hard drives found in PCs and laptops.
Don’t forget that you may have personal data
stored on other memory types such as USB drives, CDs and DVDs and SD
cards (eg in a camera or mobile phone).
My data is in the cloud. How to I delete
Securely deleting data from the cloud or
other remote storage service cannot be achieved by you running
overwriting software. You should contact your cloud provider to see
what service they offer to securely delete the data.
Where do I get overwriting software from?
Software products which can perform the
secure deletion of data are available from IT security firms. There are
also other software products (often free) which you can download and
use. However, when obtaining software from the internet you should make
sure this comes from a reputable source and that you review evidence
that the software has been tested against the claims that it makes.
I cannot decide between physical destruction
In choosing between physical destruction and
overwriting, the main point to consider will be whether or not you want
to use the media again. Physical destruction will completely destroy
the media so it is only appropriate if you are sure that you do not
want to use it again.
Can I get someone else to securely delete
data from my equipment?
Yes. If you are not confident in performing
the deletion yourself you can get assistance from a professional who
has experience in this area.
Full copies of
the guidance and corresponding report and survey will be published on
the front page of the ICO website (www.ico.gov.uk)
once the embargo has been lifted.
If you need more
information, please contact the ICO press office on 0303 123 9070 or
visit the website at: www.ico.gov.uk.
Information Commissioner’s Office upholds information rights in the
public interest, promoting openness by public bodies and data privacy
ICO has specific responsibilities set out in the Data Protection Act
1998, the Freedom of Information Act 2000, Environmental Information
Regulations 2004 and Privacy and Electronic Communications Regulations
3. All survey figures, unless otherwise
stated, are from YouGov Plc. Total
sample size was 2031 adults. Fieldwork was undertaken between 22nd -
24th February 2012. The
survey was carried out online. The figures have been weighted and are
representative of all GB adults (aged 18+).
About the Author
The Information Commissioner’s Office is the UK’s
independent authority set up to uphold information rights in the public
interest, promoting openness by public bodies and data privacy for
individuals. We do this by promoting good practice, ruling on
complaints, providing information to individuals and organisations and
taking appropriate action when the law is broken.
The ICO enforces and oversees the following
- Data Protection Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications
- Environmental Information Regulations
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2012-05-08 11:39:34 in Computer Articles
All ICO Articles