University of Hertfordshire researchers purchased 200 USB memory sticks—100 in the US, 100 in the UK—from Ebay, secondhand shops, and traditional auctions. Our latest research sought to find out how many of the USB drives still contained data, what was contained in that data, and whether any attempt had been made to remove the data.
Two-thirds of USB drives still contained remnant data from previous users. Within them, researchers discovered a wide range of intimate, private, and sensitive files. Nude photos, business documents, ID scans, job applications, wage slips, private memos, tax statements, receipts, and medical documents were found among the trove of data.
The data recovered from secondhand USB drives could be used for a wide range of crimes, including targeted phishing, identity theft, and extortion. “One of the criteria that the study applied to the recovered data was to ask ‘would this data be of value to a cybercriminal?'” says Andrew Jones from the Cyber Security Centre at the University of Hertfordshire. “If a person can be identified in sufficient detail (name, address, email, phone number), then this information has potential value to a criminal for identity theft.”
Researchers conducted their analysis using publicly available software that can be downloaded from the web.
The research team split up the results by country. Here’s a breakdown of the 100 cards from the US:
- Only one USB drive appeared to have no attempt made to remove the data
- 18 were wiped using a data erasing tool and no data could be recovered
- Eight were formatted, but data could be recovered “with minimal effort”
- 64 had data deleted, but it could easily be recovered
- 6 drives were not accessible and could not be read using the tools available
- The previous owner could be identified in 20 cases
… and the 100 from the UK:
- 19 had no attempt made to remove the data
- One was encrypted with BitLocker (not recoverable)
- 16 were properly wiped and no data could be recovered
- 16 were formatted, but data could still be recovered “with minimal effort”
- 47 had data deleted, but it could be easily recovered
- 1 was not accessible and could not be read
- The previous owner could be identified in 22 cases
The biggest difference between the two countries was the number of drives sold without having had any attempt made to erase data beforehand. The study notes, “In the USA, there appears to be a greater level of awareness of the issue and only one of the purchased USB memory sticks had not had any effort made to remove the data, whereas in the UK there were 19.”
Despite Americans’ greater efforts to remove data from USB drives before selling them, the proportion of USB flash drives from which data could be recovered was almost equal in the UK and the USA at 68 percent and 67 percent, respectively.
This study concurs with our similar study by the same university on secondhand memory cards, such as SD and microSD cards. That research, carried out in conjunction with Comparitech last year, found that 65 percent of secondhand memory cards still contained personal data from their previous owners.
What did the USB drives contain?
Researchers noted that the types of data found on USB flash drives varied somewhat by country. Americans’ USB sticks contained more business documents, while those in the UK contained more personal information.
The risks of leaving data on secondhand USB flash drives and memory cards seems obvious, so what researchers found on some of the USB flash drives might surprise you. Some notable cases include:
- Nude images of a middle-aged man along with name and contact details
- A collection of photos of bundles of money and shotguns. A search warrant giving the name of the person to be searched, a forfeiture submission for the seizure of drugs giving the name of the person that had their property seized, A forensic laboratory report on evidence submitted and a letter of resignation from a law enforcement officer.
- Chemical, fire, and power safety documents for a project in Cardiff, along with risk assessment documents and the name of the owner
- Laboratory reports for a petrochemical company, along with the name and National Insurance number (SIN) of the USB drive’s owner
- Documents containing the stock exchange dealings of a trader along with their passport and addresses in France in the UK for the past six years
- Wage slips and tax statements with name, address, and contact details
- Photos of a soldier including a deployment screening sheet containing his home and duty addresses
- A resume and filled-out W-4 tax form with full name and address
Why do people leave data on secondhand USB drives?
The cause of this problem is twofold, according to the research:
- First, not enough people are aware of the risks of leaving data on USB drives before selling them.
- Second, those that do make an effort to erase the data don’t do it properly, so the data can still be recovered.
Jones tells Comparitech, “There are a number of solutions that are already easily and freely available, such as media wiping tools, encryption, and the low level formatting of the media, but this is more an issue of the user not being aware that even though they cannot see it, the data does not go away when they delete it or do a high level format.”
Simply dragging files into the trash can or highlighting them and hitting the “Delete” key does not permanently erase data from a USB drive. Similarly, formatting a USB drive still leaves recoverable remnant data. To fully erase data, it the storage area containing it must be overwritten, preferably by secure data erasure software. Read our guide on how to securely erase SD cards and flash drives to learn more.
The onus of responsibility is on both previous owners and secondhand sellers. It’s quite possible that sellers simply plug in the USB drive, see that it’s empty, and put it up for sale without bothering to properly wipe remnant data.
The tools required to properly wipe a device are often free and even built into device operating systems. The authors of the study note that there’s plenty of free and publicly available information out there (including ours) saying as much, but it apparently never reached many sellers of secondhand devices. Researchers suggests one reason might be that USB memory sticks are fairly cheap and therefore sellers, perceiving them as low value, do not consider the potential value of the data they contain.
In some cases, online sources erroneously suggest wiping devices using a “Quick Format” on Windows, which leaves recoverable remnant data on devices. A full format is necessary to completely overwrite remnant data.
Despite proper data destruction being easy and information about it being prevalent, people still fail to do it. The researchers say the causes might be a lack of understanding of how to properly delete data, a lack of concern in an era of social media and data sharing, or a failure to understand the risks of exposing personal data.
“There have been efforts by Government and a number of other organisations to educate users, but these are not having a significant effect,” Jones explains. “This is probably due to people not considering the effect of aggregation of data on the media over time and that a number of individual elements of data that appear to have no value can be viewed as a whole to develop a rich picture of the user.”
The storage capacity of the drives used in our study varied widely, from a mere 64 MB to 128 GB. The study says USB memory sticks are primarily used to move files from one computer to another, or as a form of backup storage. That means any files stored on USB flash drives were purposely stored there, which is slightly different than data stored on a computer hard disk.
Although storage demand continues to grow, that storage won’t necessarily exist on end user devices in the long term. As broadband speeds increase and memory gets cheaper to manufacture, remote cloud storage and online file transfers could mitigate the amount of personal data we put on USB flash drives.