Personal info abounds on used devices

Posted on  April 17, 2019

by Colin Staub

A random sampling of second-hand electronics for sale around Wisconsin found significant amounts of data, including hundreds of pieces of personally identifiable information.

In a blog post on the site of cyber security firm Rapid7, company staffer Josh Frantz describes an experiment he carried out to gauge companies’ data erasure methods. Frantz, a senior security consultant at Rapid7, purchased 85 used devices, a mix of computers, removable storage devices, hard drives and cell phones, from 31 businesses near his home in Wisconsin. All told, the devices cost about $600.

Frantz took them home and ran data-extraction procedures on them. For computers, he wrote a script to run through and index all documents, pictures, saved emails and instant messenger conversation histories. The data was collected and placed on a USB drive. Similar extraction procedures were run on the hard drives, removable storage devices and cell phones.