Old data die hard as junked PCs yield up secrets

Companies risk brand and business damage by not properly sanitising their PC hard drives before reselling or recycling, writes Karlin Lillington.

With discarded, recycled or resold PCs, your past really can come back to haunt you.

Or just as bad, someone else's past. That's what bankers Morgan Grenfell discovered a few years ago, when they sold on a corporate PC that still had undeleted, detailed information about the investment portfolios of client Sir Paul McCartney.

A study last year by two students at MIT revealed only 9 per cent of 158 hard drives they purchased from auction site eBay had been properly "sanitised", with all data wiped off the drive.

Of the remainder, 117 (74 per cent) contained old data that could be recovered and read. Twenty eight of the drives (17 per cent) still had functional operating systems with user data that could easily be read. And although 57 (36 per cent) of the drives had been reformatted, they still contained old data that could be recovered. Another 29 drives didn't work at all.

With a new EU directive requiring the recycling of decommissioned PCs, and millions of businesses and individuals planning on dumping or selling old PCs this year, people need to be far more aware of what might be going out the door along with the PC.

"Really, people aren't taking any steps to destroy old data," says Mr Patrick McMahon, service manager with Dublin computer maintenance and support company Calyx. Data protection legislation is just one reason why companies need to wipe old data, he adds.

With analysts estimating some 315 million PCs will be made redundant in 2004 - and 18 per cent of IT managers in the public sector admitting they do not bother to clean drives before getting rid of old PCs - companies may be risking the kind of image and brand damage inflicted on Morgan Grenfell (now Deutsche Asset Management) by the McCartney incident, says Mr Tony Collis, country manager for Finnish company Blancco.

Blancco makes software that is guaranteed to wipe drives so that data cannot be recovered. Its software is approved by the British government for sanitising drives with sensitive government information, and is used by companies such as Dell to clean drives for corporate customers selling on their old PCs.

"There's a very low awareness of what can stay on a hard drive, even if you think it's been deleted," says Mr Tony Corliss, country manager, UK and Ireland, for Blancco.

Companies that specialise in data recovery can retrieve data off hard drives that have been submerged in water for weeks, or inside PCs that have melted down after being in a fire - even a drill punch through the drive doesn't eliminate readable data, says Mr Corliss.

Like other sanitisation programmes, Blancco overwrites the disk with sequences of 1s and 0s, creating a form of computer gibberish that forces off any existing data and that can be replaced with fresh data by the new user. A higher level of security is gained because Blancco runs on its own operating system, a modified version of Linux, so that it can override the computer's own operating system.

Awareness of how to correctly delete data is low, agrees Dell spokesman Mr Bryant Hilton. Dell offers a recycling programme to its computer buyers as well as an asset recovery service to corporate customers, where it will resell their older computers.

Computers for recycling need to have their drives wiped properly by those handing them in, he says. For asset recovery clients, Dell will wipe the drives either with standard-level sanitisation products such as those made by software company Norton, or for a nominal charge, will use Blancco for enhanced security, Mr Hilton says.

These services are a growing part of Dell's business, he says, as companies seek to manage the entire life cycle of their PCs from before purchase until they are discarded. Most companies use their PCs for an average of two to three years before replacing them with new hardware, he says.

Calyx, which will advise clients on how to dispose of old PCs, suggests using standard-level security products like Norton "if you're talking about data that isn't very sensitive," says Mr McMahon. For greater security, use something like Blancco. "And if you really are paranoid, destroy the disk."