Said experiment is based on mechanical hard drives, excluding SSDs and memory cards. The company has randomly purchased a total of 100 hard drives and has sought to recover the data. For this they have not used very advanced systems, only relatively affordable solutions.
Another consideration is that they have not worked with damaged or encrypted drives. These units have been discarded so as not to lengthen the process and use up a large amount of resources. Note that broken or encrypted units could also have been saved.
Bad idea to sell second hand hard drives
Secure Data Recovery has recovered data from a total of 69 hard drives, a total of 30 were damaged and only one was encrypted. All drives were pure hard drives, no hybrid solutions that include memory chips (SSHD).
The company indicates that they have recovered a whopping 5.7 million files. Note that this figure is tricky, since only one unit had more than 3.1 million files. It also highlights that the unit oldest that they have worked is a 2.5-inch Western Digital from 2004. They have clarified that nearly two-thirds were 3.5-inch drives.
This experiment shows something we already knew: the users do not verify the deletion of data. Only a small part of people will irretrievably delete the information. Also, only 1% delete the data and encrypt the drive.
For example, eBay for years required sellers to verify hard drives for erasure. Something that seems to have been forgotten or fallen on deaf ears.
From the company they have classified the hard drives without data as “sanitized”. These drives have undergone a complete data wipe or have been filled with random patterns.
A spokesperson has reported on the treatment of the recovered data: “We follow our typical and strict data handling practices, which include more than 100 security checks. We never saw the contents of any recovered files and safely purged the data after the exercise.”
Why should I clean it before selling it?
First of all, you never know who may acquire this storage unit and what they will do with it. Someone malicious can use advanced tools to recover the data that we have stored. If they find compromised files (private photos and/or videos) they can use them to extort money from us.
Another case that can occur is to recover files with personal information, such as employment or rental contracts. There appears our address, our full name and identification number (DNI or similar). It assumes that someone could impersonate our identity and, therefore, impersonate us.
If the first case is already bad, the second is more dangerous. They could impersonate us to acquire bank loans, commit serious crimes and other problems. Then, proving that it wasn’t us can be complicated, without taking into account the risk of facing legal action.
The best practice is not to sell the unit second hand. You should open up the unit, use sandpaper to abrade the plates, and then break them as much as possible. It would even be convenient to throw the remains in several containers and in several days.
It may sound crazy, but do you want to take a risk?