Thousands of highly sensitive documents have been retrieved by Dundee cyber experts from seemingly empty USB drives.
Researchers from Abertay University said 75,000 files were recovered from 100 devices which had been sold second hand, using tools available to the public.
The cybersecurity team found tax returns, contracts and bank statements among the “deleted” files as part of an investigation into the risks of selling used USB drives over the internet.
Researchers purchased the USB drives on a popular online auction site and examined them further, when they found 98 out of 100 seemed, at face value, to be empty but only 32 of the drives had been properly wiped.
Professor Karen Renaud, from Abertay’s Division of Cybersecurity, said: “This is extremely concerning, and the potential for this information to be misused with extremely serious consequences is enormous.
“An unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread.
“They would likely be able to find a seller’s e-mail address from the files we found on the drive. They could try to siphon money from the bank accounts or even blackmail a seller by threatening to reveal embarrassing information.”
Some of the USB files included images with embedded location data, while others contained passwords.
The research, led by Masters student James Conacher, found none of the drives held any viruses or other malware, meaning the risk lies with the seller, not the buyer.
Professor Renaud explained why people mistakenly believe they have cleared USBs.
“The file is removed from the index so that they are effectively hidden from view,” she said.
“They’re still there though and if you know how, you can easily recover them using publicly available forensics tools.
“Software is freely available that can permanently wipe USB drives, so if you are going to sell a device we would strongly recommend using that.
“If you’re planning to discard a USB device without selling it, you should destroy it with a hammer – make it impossible for a third party to get hold of the data it stores.”
“If you’re planning to buy a new USB drive, the best way of mitigating the risks is to buy an encrypted device.”
