GDPR Breaches: Reconditioned Corporate PCs Sold on eBay Are a Goldmine for Data Thieves

Every day, a different organisation experiences a data breach in one form or another. There are so many breaches that it’s impossible for all of them to make headlines. Which means, most of the time, customers that frequent the business that has suffered a breach don’t find out about it until a long time after. However, with the General Data Protection Regulation (GDPR) passed in May 2018, companies in the EU are now mandated to report significant data breaches within a specified time period.

The GDPR was approved in 2016 by the European Parliament with the goal of protecting EU citizens through consolidated data privacy laws that will equally cover all of Europe. This was considered necessary due to a progressively data-driven world.

All companies that process the personal data of individuals within the EU are covered by the GDPR. This is regardless of if the company is actually located within the EU or not. The penalties stated by the GDPR are equally stiff for both data processors and controllers. It ensures that all customers know who exactly will get access to their data and to what degree. The companies allowed access to individual’s data are mandated to notify individuals in the event that their data has been significantly breached within 72 hours of becoming aware of the data breach.

The value of data has reached an all-time high, and cybercriminals are hard at work finding new ways to steal as much personal and sensitive data as they can. In recent times, a new form of data breach that cybercriminals and online thieves are taking advantage of has come to light. This exploit was born from the careless disposal of corporate PCs and hard drives by companies. It has been discovered that many of these carelessly disposed systems, including the ones available on eBay, still contain recoverable sensitive data of companies as well as their clients and employees.

By purchasing (or acquiring in other ways) these discarded corporate laptops and computers, cybercriminals are able to recover sensitive information which the corporation has neglected to properly erase from them.

These discarded corporate PCs have, in various studies, been found to still contain valuable information such as:

• Driving licenses
• Passport copies
• Bank account numbers
• Personal addresses
• Credit card numbers
• Social security numbers
• Tax records
• Date of births
• Email addresses
• Employee records
• Health data
• Phone numbers
• Passwords
• PIN numbers

In many cases, the company discarding the computers believes them to be already clear of data. But, it turns out that even a system that has been formatted can still contain retrievable data. All a cyber-thief needs is the right software. For instance, a study by Kaspersky technicians was able to retrieve sensitive data from purchased second-hand computers that were thought to be “formatted”. One of the computers provided 117 unique usernames and passwords, personal pictures, and other types of private data.

A Goldmine for Data Thieves

Many of the PCs and laptops formerly owned by corporations that are available on the open market are believed to still hold recoverable and valuable data. Data thieves are purchasing these systems and are even willing to buy them in bulk. With the right tools, some of which are available online for free, these treasure troves of personal data can be opened and used for whatever nefarious activity the data thieves please. This could be for identity theft, blackmail, or to simply sell on the black market to the highest bidder.

A report from the Information Commissioner’s Office (ICO) revealed that about half of over 200 hard drives purchased at an auction still carried personal data from their original owners. A significant number of drives had retrievable data that could be used to effectively accomplish identity theft. This data included medical reports, passport screenshots, and bank statements.

A different study by Dr. Simson Garfinkel involving 236 hard drives bought on eBay revealed that:

• 7 of the drives had over 300 unique credit card numbers in them.
• An ATM drive was among the sample hard drives and it contained more than 800 unique PINs.
• One hard drive was formerly used in a medical centre. There were over 11,000 individual credit card numbers and other patient information still on it.

How corporations can protect their sensitive data when discarding old or faulty computers and hard drives

A company looking to get rid of its reconditioned PCs needs to pay extra attention to how to first remove the data from their systems. This is important if the company hopes to avoid breaching GDPR rules. Simply pushing the delete button or running a standard quick “format” is insufficient, as data can still be retrieved from the system.

To effectively wipe the hard drive of a computer that is about to be thrown away, the following steps should be taken.

1. Wipe the drive with specialised software

A variety of specialised software programs exist that can be used to wipe a hard drive clean of all files and then overwrite them. Using this software will guarantee that deleted data is irretrievable, even with the help of data recovery software.

1. Manually wipe the hard drive

Using the aforementioned method can take a lot of time to complete. For those who don’t have the patience or have no intention of reusing the hard drive afterwards, the hard drive can be damaged and made unusable. This can be accomplished by taking out the hard drive from the system and running a magnet over it. In the absence of a magnet, the hard drive can be destroyed with a hammer. If using the latter method, attention should be paid to smashing the platter disk and the ports used for connecting to a system.

In conclusion

“Corporate computers that have not been properly wiped are quite common and are posing a huge data breach risk for companies as well as their clients and employees. Data thieves are profiting from human error, but mistakes can be learnt from and companies can take better care when trying to get rid of old computers. A company’s sensitive data should never leave the company on a discarded computer or laptop.” states Ryan Newman, an information security expert from ISMS.online.