A cybersecurity team from Abertay University has recovered 75,000 deleted files from preowned USB drives, including tax returns, contracts and bank statements.
The discovery was part of an investigation into the dangers of reselling USB drives. The files were found on 100 USBs bought by university researchers from an online auction site.
While 98 of the drives appeared empty at first glance, by using commonly available tools the team was able to retrieve deleted data from several of them.
The researchers extracted every file from 42 of the drives, partial files from 26 devices, while 32 were properly wiped before resale.
Computing scientist Professor Karen Renaud from Abertay’s Division of Cybersecurity said: “This is extremely concerning, and the potential for this information to be misused with extremely serious consequences is enormous.
“An unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread.
“They would likely be able to find a seller’s email address from the files we found on the drive. They could try to siphon money from the bank accounts or even blackmail a seller by threatening to reveal embarrassing information.”
However, the researchers found that none of the drives contained any viruses or other malware. As such, while the sellers were at risk of data breaches, buyers were safe using the purchased drives.
The research from Abertay University highlights some of the cybersecurity risks associated with the use of USB drives.
- Leader Insights | Cybersecurity Essentials with CISO Jordan Schroeder
- Half of All Organisations Experienced Cybersecurity Incidents While Working Remotely
- New Cybersecurity Centre of Excellence Announced by Police Scotland
While the most common causes of data breaches are digital, such as unpatched software and phishing attacks, physical threats, including loss and theft, are also concerns for businesses.
For example, in 2017, Heathrow Airport lost an unencrypted USB stick containing sensitive information, including the personal details of security staff. The potential breach landed the airport with a £120,000 fine from the Information Commissioner’s Office (ICO).
With the coronavirus driving an increase in remote working, it is vital to ensure files are properly stored and encrypted.
The rise of Bring Your Own Device (BYOD) policies, which were being used at 45% of businesses in 2018, has increased cybersecurity risks. With employees using their own devices, it is easy for one unsecured USB drive containing sensitive information to slip through security and potentially negate millions of pounds worth of data protection.
Professor Renaud provided advice on ensuring that USB drives are properly secured before disposal: “A lot of people don’t realise it, but the way many computers delete files doesn’t actually remove them.
“What happens is that the file is removed from the index so that they are effectively hidden from view. They’re still there though and if you know how, you can easily recover them using publicly available forensics tools.
“Software is freely available that can permanently wipe USB drives, so if you are going to sell a device, we would strongly recommend using that.
“If you’re planning to discard a USB device without selling it, you should destroy it with a hammer – make it impossible for a third party to get hold of the data it stores.
“If you’re planning to buy a new USB drive, the best way of mitigating the risks is to buy an encrypted device.”