This experience is based on mechanical hard drives, excluding SSDs and memory cards. The company randomly purchased a total of 100 hard drives and sought to recover the data. For this they did not use very advanced systems, only relatively affordable solutions.
Another consideration is that they didn’t work with damaged or encrypted drives. These units have been discarded so as not to lengthen the process and consume a large amount of resources. Note that broken or encrypted units may also have been saved.
Bad idea to sell used hard drives
Secure HA Data Recovery recovered data from a total of 69 h ard drives,
The company says it has recovered a whopping 5.7 million files. Note that this figure is tricky, as a single unit had over 3.1 million files. He also points out that the unit the oldest that they worked is a 2.5 inch western digital from 2004. They specified that nearly two-thirds were 3.5-inch drives.
This experiment shows something we already knew: users do not verify data deletion. Only a small portion of people will irretrievably delete the information. Also, only 1% delete the data and encrypt the drive.
For example, eBay has for years required sellers to check hard drives to erase them. Something that seems to have been forgotten or fallen on deaf ears.
From the company, they ranked the hard drives without data as “sanitized”
A spokesperson reported on the handling of recovered data: “We follow our typical and strict data handling practices, which include over 100 security checks. We never saw the contents of the recovered files and purged the data securely after the exercise.”
Why should I clean it before selling it?
First of all, you never know who will be able to acquire this storage unit and what they will do with it. An attacker can use advanced tools to recover the data we have stored. If they find compromised files (private photos and/or videos), they can use them to extort money from us.
Another case that may occur is to recover files containing personal information, such as employment or rental contracts. It appears our address, full name and identification number (DNI or similar). This assumes that someone could impersonate us and therefore impersonate us.
If the first case is already bad, the second is more dangerous. They could impersonate us to get bank loans, commit serious crimes and other problems. Then, proving it wasn’t us can be complicated, not to mention the risk of being sued.
The best practice is not to sell the device used. You need to open the device, use sandpaper to abrade the plates, and then break them off as much as possible. It would even be convenient to dispose of the leftovers in several containers and in several days.
It may sound crazy, but do you want to take a risk?