Beware the skeletons in your reformatted hard drive

Passport details, credit card information and even nude pictures were found by the programme Trash Trail on second-hand hard drives sold at Sim Lim Square.

SINGAPORE: Delete all personal information on computer – check. Reformat hard drive – check. Send hard drive to IT shop to clean it again – check.

After all those preventive steps, you would think that all your personal data including private pictures, bank and credit cards details would be wiped and safe from prying eyes.

Well, think again.

Channel NewsAsia documentary The Trash Trail investigated and discovered nude pictures, passport details and even blueprints from a marine engineering company on hard drives that had been reformatted and declared ‘clean’, before being re-sold to consumers.

The documentary also surveyed 1,000 Singaporeans to find out what they did to their electronic devices such as computers and tablets before discarding them – and surprisingly, about 24 per cent of them did nothing, while 37 per cent only reformatted it once.

The episode airs on Monday, Feb 20, at 8pm (SG/HK).

To find out if one’s information is truly deleted from used hard drives, Trash Trail producers bought nine used hard drives from different shops at Sim Lim Square. All the shops said the hard drives had been reformatted, with all information erased.

WATCH: The investigation (2:29)

One salesman said: “(Sometimes) the users’ computer is not able to start up, so they cannot clean it up. When we purchase it, we will use our software to clean it up, to make sure it’s empty before we sell it second-hand.”

The nine hard drives were handed over to Associate Professor Biplab Sikdar from the department of Electrical and Computer Engineering at the National University of Singapore to evaluate. He specialises in how data can be safely transferred, stored and accessed.

The results were shocking. Dr Sikdar found personal information on five of the hard drives, including three that had compromising personal photos on them.

They included nude pictures of someone who had presumably gone for plastic surgery. “Personally, I was very shocked to find these kind of … embarrassing and compromising pictures,” he said. “If it went to the wrong person, they might easily blackmail you.”

He also found the passport details of a person with his date of birth, medical records and another person’s bank details – all of which could be used to steal someone’s identity.

And he retrieved sensitive corporate materials from two hard-drives which once belonged to a big offshore marine engineering firm.

“They make ships. And what surprised me was that I found blueprints for the ships here.

“I would have thought that an industry, when they’re disposing of their older laptops, they would be more careful in cleaning up their stuff,” he said, adding that the information could potentially be used for fraud or corporate espionage.

While Dr Sikdar verified that all the nine hard drives had been reformatted, he was able to use software that is easily found online to extract the information.

“Think of your disk like a library… When you delete or format your disk, what happens is that the catalogue is gone. But the books are still there,” he said.

There are several ways to completely destroy your data on a hard drive, he said.

This includes degaussing the hard drive with a powerful magnet at a computer centre to wipe them clean, using software to overwrite all the info, or smashing the hard drive to bits.

CAN’T DELETE PERSONAL DATA ON E-COMMERCE SITES

But there is personal data floating around online that is even trickier or impossible to get rid of – particularly on e-commerce websites.

Many consumers typically provide their personal details such as phone numbers, credit card details and addresses when signing up at such websites. But deleting their accounts is not so simple.

Singapore online shopping site Ezbuy’s co-founder Wendy Liu said that it is not possible for consumers to completely delete their account. Deleting the app on one’s mobile device only gets rid of the app and some temporary data stored.

“But when you install it again, everything from your payment to your order history will still be there.

We have to make sure (these) are kept in our database safely for five years. It is a legal requirement,” she said.

Ms Liu assured Trash Trail that all the data is safeguarded in a database server which has limited access and is equipped with firewalls and encryption. Credit card information is usually stored with a third party.

With more organisations collecting personal data, the Personal Data Protection Act (PDPA) was enacted in Singapore in 2012 which regulates how one’s personal data can be collected, used, disclosed and maintained by organisations.

Christopher Chan, head of legal and government affairs at online grocer RedMart, said that under the PDPA, companies are allowed to keep their data on a consumer for legal purposes or account purposes for a certain number of years.

This is so that if there’s an investigation against the company or customers, or of financial fraud, they need to keep that information accessible so that they can report to the authorities.

He said: “So it doesn’t actually get deleted, but it gets held back with restricted access to it.

“It’s almost impossible to delete all your information online. There’s always going to be some remnant or trace of it.”