Computers on the second-hand market contain huge amounts of private and confidential business information from previous users. Those who do not erase data from their computers, mobile phones and other IT products before they are replaced are at risk of sensitive information falling into the wrong hands and being used for criminal purposes. This is revealed in a joint project conducted by Inrego, the newspaper Dagens Nyheter (content in swedish) and IT security firm Bitsec where 55 used laptops were purchased from e-commerce sites like blocket.se and examined for information content. In 42 of the computers, nearly 80 per cent were found to contain a huge number of documents and files from previous users, such as meeting minutes, accounting records, logon details to computer systems, bank account details, naked images, payroll lists and e-mails.
“The study demonstrates that companies, government agencies and individuals expose themselves to massive risks by failing to wipe information from their hard drives before selling them or sending them for recycling. Computer drives and other IT products that store information must be wiped of this information using special software if you want to ensure that no information ends up in the wrong hands or is used for malicious purposes. It is not enough to simply run a system restore or click erase and empty the recycling bin as many seem to do,” says Daniel Bonde, head of security at Inrego, which specialises in recycling and data erasure of IT equipment.
A total of 50 laptops were purchased in the spring of 2016 on blocket.se as well as from physical stores in the Stockholm area. An additional five computers were acquired from a recycling centre. The purchases focused on what we call professional computers or business computers, but a large number of consumer PCs were also purchased.
IT security firm Bitsec has, on behalf of DN, conducted an IT forensic investigation and analysis of the computers using software that can be downloaded for free on-line and is easy to use by anyone with a basic knowledge of computing.
Most of the computers examined had undergone a system re-installation or system restore. After a restore, the information may appear to be wiped, and the previous owners probably thought this was the case, but in reality all the information and documents basically remain on the hard drive and can be easily recovered.
Of the total of 55 computers we were able to examine 51 of them. The other four could not be started or had defect hard drives. In 42 of the computers, information from the previous owner was detected such as files and search history.
In 34 of the computers, a large number of documents, images and files were found. These involve both private information along with details from companies and government agencies (i.e. professional computers). The audit revealed, for example, meeting minutes, naked images, accounting records, transaction procedures for companies, credit card numbers, bank IDs, bank account details, payroll lists, private medical information, alarm lists, passwords, e-mails and contact details. Many of the computers contained 100,000's of files and documents, and in some cases more.
On one computer, login details to the computer system in a Swedish hospital were discovered. Another computer turned out to belong to a municipality in northern Sweden that had been used by a head teacher and contained vast amounts of sensitive documents and passwords to the local computer system. On another computer, there were naked pictures of the previous owner's children that, in malicious hands, could be used for child pornography purposes.
The previous user could be easily identified in 33 of the computers. All five computers from a recycling centre contained huge amounts of information.
“Everything you could imagine was found in the examined computers and we have still only scratched the surface and taken samples to provide an overview. It is surprising that individuals and organisations expose themselves in this way and it is especially serious in the cases of municipalities and authorities, as citizens are laid bare and exposed to great risks. For someone with a malicious intent, this information could be utilised in a number of ways, such as identity theft, extortion, intimidation and fraud. What are you prepared to pay for ensuring your naked images or evidence of porn surfing are not shared with your business associates? How should a company be able to defend itself against an attack from someone who knows the accounting department's practices in detail?” says Calle Svensson, security specialist and digital forensics analyst at Bitsec and the person who conducted the review.
Nine of the computers in the study had either been wiped or encrypted, and no information was found on these computers.
“Erasure is the best method of course, but encryption also provides some protection and should be standard,” says Calle Svensson.
Facts about the project
- Inrego and Bitsec have investigated whether and to what extent commercially sensitive and private information is available on laptops in the used market after being tasked by the newspaper Dagens Nyheter to perform a forensic investigation and analysis of the computers.
- An external company was hired to purchase 50 used computers from the e-commerce companies Blocket, Tradera and a large number of second-hand outlets in the Stockholm area during the winter and spring of 2016. Moreover, five computers were acquired from a recycling centre.
- Both professional computers, which are often used in business, and consumer PCs were purchased. Most computers were between 3 and 5 years old. All the major manufacturers were represented in the study, such as HP, Dell, Lenovo, Apple, Samsung and others.
- Bitsec conducted a forensic investigation and analysis of the computers using the Recuva software, one of many available freeware solutions that restore files and recovers the structure of the mapping system. The Autopsy software was also used occasionally to structure the information.
- Any individuals handling the computers are subject to confidentiality. When the investigation was completed, Inrego wiped all data from the hard drives.