Selling or Recycling Used Technology Can Be Risky (Unless You Do This First)

Donated or recycled technology still includes your company’s confidential data (even those considered wiped or erased). Delegating recycling to another company can lead to expensive and embarrassing consequences.

Private information often remains on donated tech. That’s what Josh Frantz, a security consultant based out of Wisconsin discovered when he bought second-hand tech from re-sellers, thrift stores, and recycling centres.

Your old technology is a potential asset, but if it is not disposed of properly, it is a potential risk – both financially and personally. Does your certificate of destruction really mean the data was destroyed? Does hiring a 3rd party recycling company really absolve you of your responsibilities to protect confidential data? What if the business is closed? What if the data is old? Let’s look into it.

Returning to the security consultant Josh’s experiment. Josh went to 31 businesses that sold refurbished, used, donated technology such as computers, phones and hard drives. He purchased:

41 desktops and laptop computers
27 removable media such as flash drives and memory cards
11 hard disks
6 cell phones

He wrote a script in PowerShell, which searched for images, documents, saved emails and conversations, and then downloaded them onto a USB. Of the 41 laptops purchased only one was erased. For hard disks, he used a Python script, which sorted the data and organized it. That data wasn’t encrypted so the search was easy. Of the 11 “wiped” hard disks, only 1 was wiped.

His findings: out of the 85 devices purchased, only two were erased properly (and only 3 of the devices were encrypted).

Lastly, he used ‘pyocr’ (an optical character recognition tool wrapper for Python) to identify Social Security Information and found: 611 email addresses; 50 dates of births; 41 Social security numbers; 6 driver’s license and 2 passport numbers; 19 credit cards (most of the credit card info was from scans and images of front and back of card).

There is good news and bad news with this info:

  1. Good news: Data is cheap to buy because, if you know what you are doing, it is widely available. If data is “cheap” it means, the chances that someone is buying your used technology to find your company’s data, is very slim. Most buyers of such recycled technology won’t be people like us – techies – they might be a grandmother buying a laptop for her grandchild or for herself.
  2. Bad news: Even with a certificate of destruction or a claim of data being wiped, it may not be completed competently.
  3. More bad news: If it is your data that is accessed, you – as the person responsible – are responsible for the safekeeping of confidential information even if the business is closed. Your fiduciary duty survives longer than the end of a business. This is especially true for medical clinics, insurance companies, legal firms where you also have privacy act compliance responsibilities.
  4. If that information is leaked, you are responsible for any resulting damages but also your company has to inform your client or patient of the breach of information. It is not a confidence building exercise. You will realize at that moment that your success is based on the trust you’ve been able to keep. Trust is a fragile thing.

As an I.T. Relocation and Special Projects company – Unio Tech Solutions – that’s us – does anything outside of the regular scope of an I.T. department or facilities team. We often are brought in during office moves for I.T. relocation, large deployments of hardware and large scale recycling of technology, like what we have described above. Hiring us for your recycling of technology gives you enhanced levels of protection that is important for Privacy Act Compliance. Unio Tech Solutions can provide a staff member to oversee the destruction of your technology as your company’s witness. Unlike some competitors, Unio Tech only uses staff for technology recycling that is 100% secured with cleared Criminal Records Checks. The last thing you want to find out is that the company hired to destroy your tech recycling doesn’t responsibly do it or the company itself is not secure.

For strategies to ensure that you data is safely removed from your technology please contact Unio Tech Solutions – we are happy to help. As you get ready for your next tech recycling project remember to First properly wipe the hard drives clean if they aren’t being destroyed. It will significantly reduce your risk of unnecessary data breaches and give you peace of mind that your recycling is secured.