40% of Resold Devices Contain PII & How to Destroy (Learn More, Video)

The National Association for Information Destruction (NAID) released results of the largest study to date of the presence of personally identifiable information (PII) on electronic devices sold on the second hand market.

The study showed that 40% of devices resold in publicly-available resale channels contained PII. NAID commissioned CPR Tools, Inc. to analyze the used devices, which included used hard drives, mobile phones and tablets.

The current state of electronic storage has made it possible for nearly every adult to carry a form of data storage device.

“As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data,” states CPR Tools CEO, John Benkert.

“Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.”

(Are you getting rid of your laptop, cell phone, or external hard drive? Before you trade it in or offer it to a friend make sure you destroy the data that’s on it. If not you could be giving away your most personal information – from credit card numbers to online account information. Courtesy of CPR Tools and YouTube)

While there have been similar studies over the past decade, the NAID study is unique insofar as the recovery process used to locate the data on more than 250 devices was, by design, not sophisticated nor was advanced forensic training required. All methods leveraged downloadable shareware.

Robert Johnson, NAID CEO
Robert Johnson, NAID CEO

Robert Johnson, NAID CEO, points out that while this study’s results show a decrease in data found compared to past studies, “NAID employed only basic measures to extract data; imagine if we had asked our forensics agency to actually dig!”

He goes on to surmise that “40 percent is horrifying when you consider the millions of devices that are recycled annually.”

PII recovered included credit card information, contact information, usernames and passwords, company and personal data, tax details, and more.

While mobile phones had less recoverable PII at 13%, tablets were disturbingly found with the highest amount at 50%. PII was also found on 44% of hard drives.

In total, 40% of the devices yielded PII. The study included devices that had been previously deployed in both commercial and personal environments.

(You may not be able to encrypt your business’ information like a Fortune 500 company, but there are ways you can ensure your sensitive and private data is protected. If you are taking your first steps into the cyber-unknown, consider these three tips to protect your business’ data. Courtesy of CPR Tools and YouTube)

Johnson cautions that the results are in no way an indictment of reputable commercial services providing secure data erasure.

“We know by the ongoing audits we conduct of NAID Certified service providers that when overwriting is properly done, it is a trustworthy and effect process,” he said.

The National Association for Information Destruction (NAID)

The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.” 

The National Association for Information Destruction (NAID) is the international watchdog and non-profit trade association of the secure destruction industry, which currently represents more than 1,900 member locations globally.

NAID advocates for a standard of best practices across governments and by service providers as well as suppliers of products, equipment and services to destruction companies.