Buy a second-hand USB and you might get more than you bargained


Cheap to buy and often given away as freebies, USB flash drives are cheap, readily available and all too often discarded without too much thought… thrown away, lost, given to a friend or colleague, or perhaps sold to a stranger.

But what about the data we save on our USBs? Personal data such as selfies, our CV, payslips, tax returns or perhaps business information such as HR records, customer information, financial reports. Valuable information which you would expect to be deleted from a USB prior to disposal, right? WRONG!

Two-thirds of resold USBs contain accessible data according to new study

A recent study commissioned by Comparitech, a consumer product comparison website, and carried out by the University of Hertfordshire, revealed that around two-thirds of USBs bought second-hand in the US and UK contained recoverable, and sometimes sensitive information.

Alarmingly the level of data found on 20% of the flash drives purchased was such that they could actually identify the previous owner.

The study

200 USBs were purchased, 100 in the US and 100 in the UK, between January and May 2018, from eBay, second-hand shops and conventional auctions.

Findings

Whilst most US sellers (in fact all but one) had attempted to remove all data from their USB, 19 of the USBs bought from UK sellers showed no sign of attempted cleansing.

17% of sellers had successfully wiped their drive of all data, most likely with a data erasing tool. And the USBs of a further 4% of sellers were inaccessible – note only one flash drive purchased in the UK was inaccessible due to data encryption.

In the US, 64 sellers had attempted to delete data but failed, and a further 8 had reformatted their drive with a view to erasing all data, but alas researchers were able to retrieve the data with little effort. Amongst UK sellers, 47 failed to successfully delete their data, with another 16 trying to remove their data, unsuccessfully, by reformatting their USB.

Whilst a small number of sellers (predominantly in the UK) had made no effort to wipe their drive prior to selling, the majority had tried and clearly realised the importance of deleting their data, but unfortunately didn’t know how to erase their data so that it was unrecoverable. Sadly dragging and dropping files into the trash-can won’t suffice nowadays.

Even when on the surface it appeared that a drive had been wiped, researchers were able to use publicly available data recovery software available on the internet to retrieve deleted files.

Deleted files that included:

  • Nude images of a middle-aged man!
  • Photos of bundles of money and shotguns plus a search warrant giving the name of the person to be searched, a forfeiture submission for the seizure of drugs giving the name of the person that had their property seized.
  • Chemical, fire, and power safety documents for a project in Cardiff, Wales, along with risk assessment documents and the name of the drive’s owner.
  • Lab reports for a petrochemical company, with the name and Social Insurance Number of the USB drive’s owner.
  • Documents containing the stock exchange dealings of a trader along with their passport and addresses in France and the UK for the past six years.
  • Wage slips and tax statements with name, address, and contact details.
  • Photos of a soldier – including a deployment screening sheet containing his home and duty addresses.
  • A resume (CV) and filled-out W-4 tax form with full name and address.

 

And remember the data retrieved allowed them to identify the original owner of 20% of the drives bought – scary!

But I’d never sell a cheap USB…

You’re probably reading this post thinking I’d never bother selling a used USB so don’t need to worry, BUT…

Did you know that around 20 million USBs are lost or stolen every year?

That’s a LOT of potentially sensitive data that’s at risk of unauthorised access and use, BUT…

Only if your USB is unencrypted! Invest in a hardware encrypted USB like SafeToGo® Solo and SafeToGo® 302E and even in the event of loss or theft your data will remain safe.

For your eyes only!

SafeToGo® Solo (for individuals and SMEs) and SafeToGo® 302E (for businesses) are fully robust, AES 256-bit XTS hardware encrypted USB3.1 flash drives, designed to protect valuable data from unauthorised access whilst on the move.

Encryption of your data, in any way, is a good thing. Encrypting your data and hiding it from prying eyes by using password or PIN access is an important step to safeguarding your personal information. Encryption is the process of changing or transforming your files according to a set of rules and algorithms into a format that others cannot read. The only way to access those encrypted files is by applying your personally chosen password or PIN to the gateway application so the content can be decrypted.

In a hardware encrypted USB device, access control counters and all information relating to encryption and decryption of the data are implemented in a crypto module located inside the USB flash drive. The crypto module will shut down the USB device and keep the data safe in the event of unauthorised access attempts. Unlike a software-based solution, hackers are unable to run analysis utilities on the USB drive to locate and reset this counter. By shutting down the USB device, a parallel attack can also be thwarted. A parallel attack is where data is copied and shared to many devices to increase the attempts at unlocking data. The USB device doesn’t allow the files to be copied, so they are safe.

Find out more now:
SafeToGo® Solo
SafeToGo® 302E