Researchers dig up medical reports, porn from used Aussie hard drives on eBay

A study of second hand hard drives in Australia has found 28 percent of them contained private information, including medical records, client correspondence and porn.

A new study commissioned in Australia by the National Association for Information Destruction (NAID) highlights that completely sanitising old hard drives before putting them up for sale on eBay is something businesses and consumers struggle with.

NAID’s study was conducted in January by a forensic investigator at Australian investigations firm, Insight Intelligence, which looked at 52 randomly selected hard drives purchased from public markets like eBay for the study.

The investor found 15 hard drives contained private information on them, typically in the form of old Office documents and PDFs. Somewhat concerning, eight of the hard drives came from Australian businesses including firms operating in the medical and legal sectors.

One of the more serious finds was from a drive that appeared to have belonged to a NSW based medical facility. The report does not name the firm, but notes the serial numbers and whether there appeared to have been efforts to destroy data on the device.

The drive contained hundreds of Word, Excel, Power Point, Access Database, PDF and Email data files.

Files found included:

  • Lesson requirements documentation
  • Email data containing communication between staff/admin/NSW Health/Contractors etc
  • Documents related to the name of organisation supplied
  • Correspondence documentation between doctors and Medical Facility admin
  • Recruitment applications containing sensitive applicant data
  • Company tax invoices.

A probe into a hard drive that appeared to be formerly owned by a Queensland-based law firm found “conveyancing information for dozens of clients, including records from the national personal insolvency index of Australia which contains specific information about an individual’s solvency status as well as specific information that can be used to locate and identify an individual”.

The drive also contained property title search information and links to ownership details including which bank a loan was from.

A look at consumer hard drives found details that their owners would most likely not want others to view.

One hard drive that appeared to have been owned by a consumer in the Chadstone area of Queensland found pornographic material, evidence of pirate material downloads via a file sharif client called Morpheus and job application data.

Another hard drive whose previous owner — also a consumer from South Australia — had attempted to sanitise was found with a stash of personal photos and videos, bank statement, court case documents relating to a case against a family member, movies, TV shows, porn material, and school projects in Word and PowerPoint documents.

In both consumer devices, the latest content created was from 2013.

“While it might be tempting to dismiss these results given the sample size, it is actually very disturbing,” said NAID CEO Bob Johnson.

“When you consider that the Australian Bureau of Statistics most recent estimates put the number of computers retired annually at over 15 million, the likely amount of private data put at risk in this manner is staggering.

“People from anywhere in the world can buy these drives online, and you can be sure the ‘bad guys’ amongst them know how to use the information for evil. With the viral nature of social media, one can only imagine what could happen if someone decided to share any highly personal images and videos they have found on these drives.”

The report came as Office of the Australian Information Commissioner (OAIC) released the new Australian Privacy Principles (APP) guidelines, which are meant to inform businesses handling sensitive and private information of new requirements under changes to Australian privacy legislation due to come into effect from March 12.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags pornsecurityebay

More about Australian Bureau of StatisticsCSOeBayExcelInsightMorpheusNSW Health

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts