Old devices are filled with personal data, Rapid7 research finds
Wannabe thieves shopping around for personal data don’t need to rely on the dark web. They can simply look at used technology stores for second-hand devices that may come pre-loaded with sensitive data.
In research published Tuesday, Rapid7 researcher Josh Frantz described how he spent roughly $650 on 85 computers, flash drives and other devices to find more than 366,000 files on them. Just two of the devices Frantz bought had their information properly removed, and three devices were encrypted. The data Frantz found included Social Security numbers, dates of birth, credit data and phone numbers.
“After buying the devices, I took them to my command center (a cool name for my basement) and began the data extraction process,” he wrote. “Whenever I brought a computer back, I booted it up to see whether it was bootable and whether it required a password to log in. I wrote a script in PowerShell that would run through and index all the images, documents, saved emails, and conversation histories through instant messengers. It would then zip it up nice and organized on the desktop, and I would pull it off with a USB drive (I know, you were expecting something much fancier).”
Researchers from the University of Hertfordshire in the U.K. revealed last year that two-thirds of the memory cards left in mobile phones and tablets sold on the second-hand market contained personally identifiable information about their former owners, Forbes reported. Many of those memory cards were available for sale on eBay, in traditional auctions and in used goods stores.
The information Frantz found sells for cheap on cybercriminal forums, where a single SSN goes for roughly $1 and a more complete dataset might only reap $3 for the seller. All of which is to suggest that so much data is available to wouldbe identity thieves that “it has driven down the cost of data itself,” Frantz wrote.
Concerned users should not rely on technology companies to delete the information contained on an old device, he said. Instead, they can follow a guide on how to carefully remove their information. Or use a hammer, as Frantz suggested.
