old_computerEvery PC in your office has information on its hard drive that could be damaging if it falls into the wrong hands. Confidential client information, taxation returns, bank account details, HR records — the typical computer in an accounting firm is a repository of secrets.

When criminals steal and use a person’s personal information — full name, social security number, date of birth, home address, taxation reference number, etc. – to assume that person’s identity, they can apply for loans and credit cards, open bank accounts, and make purchases in their name. Just try proving you didn’t make a purchase and you’ll soon see why identity theft is such a problem.

When the time comes to retire an old PC, what do you do to safeguard this information? Delete all the files? Format the hard drive? Unfortunately, these steps are insufficient to permanently remove this information and a skilled professional will be able to recover all or most of it.

Second-hand Computers Studied

Identity theft is big business and there’s probably no better source of details about a person’s identity than the contents of their accountant’s PC. A team led by Professor Martin Gill of the University of Leicester in the U.K. purchased six second-hand computers from a variety of sources and performed a forensic data analysis on each one using off-the-shelf computer software.

The results gave an indication of the extent of the problem. Half of the six PCs had not been securely wiped. No attempts had been made at all to wipe the contents of one computer, and the contents of the other two were easily recovered.

Professor Gill’s 2006 study entitled “Second-Hand Computers and Identity Fraud” told how on one computer the team found bank account details, correspondence with a bank noting change of email address and a previous owner’s CV.

Another computer had usernames and password for an online travel account and a spreadsheet with a company’s details of creditors, payroll and income tax. As a bonus there was also a list of around 250 names and addresses of past and present customers.

Reformatting Isn’t Enough

“Simply reformatting a hard drive is not enough to make data irretrievable”, said Professor Gill. “Anyone disposing of a personal computer must ensure that all data is securely wiped using specialist software to wipe over every sector of the hard drive.”

Think about this the next time you dispose of an old PC. Whether you sell it on-line, auction it through an auctioneer, trade it in or just put it out with the trash, it’s full of useful data for identity thieves and even agents conducting industrial espionage.

Justin Basini of U.K. financial services company Capital One, tells us: “To date most of the advice surrounding protecting oneself against fraud and identity theft has centred around looking after personal, paper-based documentation. But that won’t account for the digital fingerprints that we leave behind on our PCs.”

Microsoft recommend taking the following steps to completely wipe a computer’s hard drive clean:

1. Reformat the Hard Drive and Re-install the Operating System

Reformatting a disk prepares it to accept a new operating system. It also wipes out everything on the hard drive. When the reformat finishes, put the Windows installation CD in the CD drive and re-install Windows.

Microsoft cautions: “Reformatting will keep most people out of your old files. But specialised shareware exists to reclaim files after reformatting. If you do not know who will get the computer — or you do know and you don’t trust them — stronger measures are required.”

2. Buy Software and Overwrite the Disk, Again and Again and Again

There are several programs that write gibberish to the hard drive. Norton’s SystemWorks includes an application called “Wipe Info”. OnTrack’s “DataEraser” offers a similar feature, as does Jetico’s “BCWipe”. There are several other such applications including shareware available on the Internet.

After conducting their “Second-Hand Computers and Identity Fraud” study, Professor Gill and his team wiped all the data from the test computers using a software program called “Encase”.

Writing in USA Today, Jefferson Graham tells of another experiment conducted in 2003 by privacy expert Simson Garfinkel and fellow MIT student Abhi Shelat who purchased 158 old hard drives on eBay and found: “More than 5,000 credit card numbers, financial and medical records, personal e-mail and pornography were easily obtainable on the drives.”

To be absolutely certain that all the data on an old PC has been removed, Graham recommends taking the hard drive to a professional data-recovery service and ask them to sanitize it for you. Or there’s always the ultimate solution: “Use a sledgehammer, because the only way to really be sure is to destroy the disk.”


Copyright 2006, RAN ONE Inc. All rights reserved. Reprinted with permission from www.ranone.com.