IT Security firm Secarma is issuing a warning to businesses after recovering personal data including passwords and login information from erased and formatted hard drives bought online.

The security firm, an arm of cloud and colocation specialist UKFast, was invited by BBC Radio show Naked Scientists to conduct an investigation, as part of their ‘Science Night’ show on BBC Radio 5 Live, into the security of recycling hard drives – a common practice for environmentally-conscious businesses.

The investigation discovered that despite users password-protecting and deleting entire data archives from hard drives they sold on, sensitive data was still recoverable.

Stuart Coulson, head of sales and cyber security expert at Secarma commented on the findings: “To prove how easy data recovery is, we searched one of the most recognised online marketplaces: eBay – where used hard drives are abundant. Looking for descriptions containing key words such as ‘formatted’ and ‘password-locked’, we found a drive entitled: ‘preformatted ready to use’.

“The label ‘formatted’ gets used so loosely in technology that people don’t fully understand its true definition, misinterpreting it to mean ‘deleted’ and gone forever. Unfortunately this isn’t entirely true, as a quick recovery uncovered hundreds of student and dissertation data from a humanities college.

“It took less than five minutes, using off the shelf recovery software, to extract data including student user login details and links to coursework from the preformatted hard drive. Had we used our specialist recovery software, we would have been able to recover further data.

“Businesses should heed the warning that ‘formatted does not mean erased forever’, as they could be inadvertently sharing confidential corporate data, or worse, client data which it is their duty to protect.”

Coulson advised the best route to properly erasing external drives and ensuring the appropriate disposal of confidential information. He said: “As we generate more and more data, old drives are becoming too small for purpose and being upgraded for larger, more efficient storage devices. Firms looking to remain environmentally-friendly by recycling or reselling old drives must properly wipe data from them.

“To do this, firms can visit computer recycling and disposal services that will provide a Certificate of Destruction. As a reputable organisation your primary responsibility is to look after your customers’ data and failure to do so could result in a criminal record, losing you both your customers and your business.”

Coulson added: “If companies could take away one critical piece of advice, then it’s simply not to put used hard drives on eBay. To clarify, we spoke with the ICO who helpfully advised us that as a data controller (the owner of the data), that data is yours and therefore you must ensure the appropriate protocol is put in place when deleting data as part of Principle 7 (Information Security) of the Data Protection Act.

“If you’re looking to sell other computer parts then by all means do so – but if it’s your hard drive, unless you can be 100% certain the data on it is deleted or unimportant, hold on to it or find a new use for it as it could end up on the wrong side of the law.”

Due to the sensitive nature of their findings, Coulson refrained from undertaking a full recovery on the drives.