NAID study shows high presence of PII in resold electronics

Forty percent of electronic devices resold in the secondhand market contained personally identifiable information, according to study.


The National Association for Information Destruction (NAID), Phoenix, has announced that a recent study shows that 40 percent of electronic devices resold in the secondhand market contained personally identifiable information (PII). NAID says this is the largest study to date on the presence of PII in electronics resold via publicly available resale channels.

The association commissioned CPR Tools Inc., Fort Myers, Florida, to analyze the used devices, which included used hard drives, mobile phones and tablets.

NAID says the current state of electronic storage media has made it possible for nearly every U.S. adult to carry at least one form of data storage device. 

“As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data,” says CPR Tools CEO John Benkert. “Auction, resell and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind.”
 
While similar studies have been conducted over the past decade, NAID says this study is unique insofar as the recovery process used to locate the data on more than 250 devices was, by design, not sophisticated nor was advanced forensic training required. All methods leveraged downloadable shareware. 
 
NAID CEO Bob Johnson points out that while this study’s results show a decrease in data found compared with past studies, “NAID employed only basic measures to extract data. Imagine if we had asked our forensics agency to actually dig.”

He adds that “40 percent is horrifying when you consider the millions of devices that are recycled annually.”
 
PII recovered included credit card information, contact information, usernames and passwords, company and personal data, tax details, and more information. While mobile phones had less recoverable PII at 13 percent, tablets were found with the highest amount at 50 percent. PII also was found on 44 percent of hard drives. In total, 40 percent of the devices yielded PII. The study included devices that had been deployed previously in commercial and personal environments.
 
Johnson says the results are in no way an indictment of reputable commercial services providing secure data erasure. He says, “We know by the ongoing audits we conduct of NAID certified service providers that when overwriting is properly done, it is a trustworthy and effect process. The problem lies with service providers who are not qualified and, too often, with businesses and individuals who feel they can do it themselves.”