Data on second hand hard-drives.

22
Posted 8th Nov
So I bought a second hand SSD hard-drive from a well known second hand gaming store and did some checks on it (mostly for errors). The data recovery located and made recoverable ALL of the data of whomever traded the hard-drive in. E-mail data files, save games, sensitive information etc. Which I thought was pretty bad (and no less breaks data protection laws).

Is this the fault of the retailer reselling it? or the person trading it in? Surely by reselling it, it becomes the retailers responsibility to make sure that this doesn't happen?
Community Updates
Ask

Groups

22 Comments
I've had the same from cash converters. The person who traded it in is daft, you'd like to think the store would wipe them but using a till seems perplexing enough for some staff. It makes me cringe when they have dslr cameras out with the sensor exposed and no cover as well.
Edited by: "dcx_badass" 8th Nov
This is one reason why I have a stack of used hard drives in my loft... the only data wipe I would trust is an angle grinder, and even then I'd need it to be confetti before I was confident the stuff was gone.
Why did you even attempt to recover the data?
I doubt the shop has a duty of care to the seller; if the seller has presented the drive for sale then it is more than reasonable to assume the seller is comfortable with whatever data may or not remain / be recoverable from the drive.
I once got an overcoat from a charity shop, imagine my amazement when I discovered a valid membership for a local CIU affiliated club in one of the pockets.
Secure data wipe of SSDs costs time and money to effect, bad for profits. SPIN, public relations boiler template is far cheaper, such as :-

A boiler template costs near ~£0 to write, even I can do this for nothing:-

" As a company, we take customers' privacy and confidentiality extremely seriously....inevitably, with the tens of thousands of devices that we handle daily, inevitably....we have since changed our company's process to improve....blah blah or this was due to the action of a single employee who did not follow the company's policy.
JohnnyRoller08/11/2019 16:48

Why did you even attempt to recover the data?


No data was recovered, I could see the file names, and had the option to recover.
This was more of an experiment, to see if retailers actually do a full deep clean of drives before reselling them. That way I'm more aware of the risks when trading in my own stuff.
Retailer:
"It is your responsibility to remove your personal data before selling."

"We will however also perform a data wipe ourselves as part of the test process."

So, yeh.
Edited by: "guru404" 8th Nov
guru40408/11/2019 18:08

No data was recovered, I could see the file names, and had the option to …No data was recovered, I could see the file names, and had the option to recover.This was more of an experiment, to see if retailers actually do a full deep clean of drives before reselling them. That way I'm more aware of the risks when trading in my own stuff.


“The data recovery located and made recoverable ALL of the data of whomever traded the hard-drive in. E-mail data files, save games, sensitive information etc. Which I thought was pretty bad (and no less breaks data protection laws).”

I'm only basing my comment on what you wrote in the OP...
not retailer responsibility i would have thought. you are responsible for your own data cleanse before you sell the hard drive. the retailer could claim you sold your deleted data when you left them there.
JohnnyRoller08/11/2019 18:23

“The data recovery located and made recoverable ALL of the data of w …“The data recovery located and made recoverable ALL of the data of whomever traded the hard-drive in. E-mail data files, save games, sensitive information etc. Which I thought was pretty bad (and no less breaks data protection laws).”I'm only basing my comment on what you wrote in the OP...


No worries. I could see the file names, but I didn't recover any of it back to its original form, nor did I actually view any of the file contents. This one is going to my 8 year old nephew for his laptop because he is intrigued about IT and the workings of computers.
Personally I would remove the hard drive and either give it a real, and proper clean or simply destroy it (drill it through and drop it in a jug of battery acid). My thinking is you don't know what is on the hdd. You don't want to be trying to explain some dodgy pictures that are recovered to the lads in blue.
Edited by: "Ringfinger" 8th Nov
You need to use a proper piece of software such as this: eraser.heidi.ie/

Not just right click and format which is most likely what they did
If you don't want to use a harddrive anymore just stick it in the microwave
guru40408/11/2019 18:08

No data was recovered, I could see the file names, and had the option to …No data was recovered, I could see the file names, and had the option to recover.This was more of an experiment, to see if retailers actually do a full deep clean of drives before reselling them. That way I'm more aware of the risks when trading in my own stuff.



38938817-l7LYV.jpg
bobdylan08/11/2019 21:44

You need to use a proper piece of software such as this: …You need to use a proper piece of software such as this: https://eraser.heidi.ie/Not just right click and format which is most likely what they did


You need to download the manufacturer toolkit (if there is one), and wipe the SSD. It should only take a few seconds to do (in most cases). What you linked won't securely wipe a SSD.

You should really only buy SSD's that come with its own toolkit. So you can monitor the health of the SSD, or erase it if you need do.


reddit.com/r/b…ng/
mutley108/11/2019 18:43

not retailer responsibility i would have thought. you are responsible for …not retailer responsibility i would have thought. you are responsible for your own data cleanse before you sell the hard drive. the retailer could claim you sold your deleted data when you left them there.


I disagree Mutters, while you are responsible for your own data, and should wipe the drive before selling it, the GDPR laws don't apply to you as an individual. They do apply to companies though, and while the company can claim you sold the data to them when you sold the drive, they then sold your data to someone else. Any prosecutions for the data leak would be directed to the company, not the data subject.
Pandamansays09/11/2019 11:22

I disagree Mutters, while you are responsible for your own data, and …I disagree Mutters, while you are responsible for your own data, and should wipe the drive before selling it, the GDPR laws don't apply to you as an individual. They do apply to companies though, and while the company can claim you sold the data to them when you sold the drive, they then sold your data to someone else. Any prosecutions for the data leak would be directed to the company, not the data subject.


i think it would be a complex case prosecuting the retailer as they are not a company that held your data then sold it on in this instance, it is less clear than that. in this instance you sold them a drive that you have not cleaned properly, and they have passed that drive on to another person, so they have acted as middle man for the sale. the data you sold is the data you sold with the drive so it could be argued that the drive was sold with data on it. you haven't sold the data to the company, you have sold the data with the drive to the purchaser, and any subsequent purchaser of the drive.

good luck with prosecuting the games store for not cleaning your hard drive before passing it on, when you could not be bothered to clean the hard drive yourself before you sold it. you obviously didn't care very much about keeping it private.
mutley109/11/2019 11:40

i think it would be a complex case prosecuting the retailer as they are …i think it would be a complex case prosecuting the retailer as they are not a company that held your data then sold it on in this instance, it is less clear than that. in this instance you sold them a drive that you have not cleaned properly, and they have passed that drive on to another person, so they have acted as middle man for the sale. the data you sold is the data you sold with the drive so it could be argued that the drive was sold with data on it. you haven't sold the data to the company, you have sold the data with the drive to the purchaser, and any subsequent purchaser of the drive.good luck with prosecuting the games store for not cleaning your hard drive before passing it on, when you could not be bothered to clean the hard drive yourself before you sold it. you obviously didn't care very much about keeping it private.


In this case, it looks like the files on the drive were just 'deleted' and not even formatted. Anybody with malicious intent could recover and pull up potentially sensitive data. The retailer in this case state that it is your responsibility to make sure that your data is not on the drive, BUT then state that they do some kind of erasing process during the testing process (which obviously wasn't deep enough, by any means, or not done at all).
I agree with Mutley. Ignorance that the data wasn't properly wiped won't stand as a defence. If the company doesn't have the processes in place to deal with HD data then they shouldn't be selling them. Technically it could be even worse if the HDs contained illegal material, one could argue they were involved in supply.

Wonder how many of them contain bitcoin wallets... Thats the first thing I'd go looking for.
guru40409/11/2019 12:38

In this case, it looks like the files on the drive were just 'deleted' and …In this case, it looks like the files on the drive were just 'deleted' and not even formatted. Anybody with malicious intent could recover and pull up potentially sensitive data. The retailer in this case state that it is your responsibility to make sure that your data is not on the drive, BUT then state that they do some kind of erasing process during the testing process (which obviously wasn't deep enough, by any means, or not done at all).


i would say that the owner of the drive would have a case against the game company if the company had retrieved data from the drive and then sold the data on as then that is intentional breach of data protection as the data was not sold to the company for it to sell on. the data staying on the drive itself being sold on is another matter.

if you yourself were to retrieve the data and used it to your own benefit, i would also think that the owner may have a case against you for using his data without his permission for your own benefit. if you were to retrieve it but only viewed it and did nothing with it, then he wouldn't have a case against you as it was his fault that he didn't protect his data from other people viewing it.
jaydeeuk109/11/2019 12:53

I agree with Mutley. Ignorance that the data wasn't properly wiped won't …I agree with Mutley. Ignorance that the data wasn't properly wiped won't stand as a defence. If the company doesn't have the processes in place to deal with HD data then they shouldn't be selling them. Technically it could be even worse if the HDs contained illegal material, one could argue they were involved in supply.Wonder how many of them contain bitcoin wallets... Thats the first thing I'd go looking for.


i don't think you are agreeing with me. i don't think the game company is responsible for making sure that the hard drive is wiped clean before they sell it on. i believe that it is your own responsibility to clean the data before you sell the drive to the public. as i had said above, the owner of the drive would only be able to prosecute the game company if the company had extracted his data and sold his data on for a profit.
Post a comment
Avatar
@
    Text

    Discussions

    Top Merchants