Security Nightmare: Users Fail to Wipe USB DrivesStudy: Used USBs for Sale Still Store Business Documents, Medical Documents, Nude Photos
What do search warrants, W-4 forms, email exchanges with a stock broker, laboratory reports, safety documents and a nude selfie all have in common? The answer: All were found on second-hand USB drives.
A study recently released by the University of Hertfordshire found that even when users attempt to erase personal information and other sensitive data from portable USB drives, they often fail to properly remove all images and documents.
"Though there have been a few high-profile examples of companies restricting access - IBM is an example - the majority of enterprises still don't maintain this level of control over their employees' desktops, to their own peril."
To conduct their survey, researchers bought 200 used USB drives on eBay and at second-hand shops and auction stores. Of 100 devices from the U.S. and another 100 from the U.K., about two-thirds contained remnant data from the previous owner.
All this personal data can create a personal security nightmare because the information can be used for a variety of cybercrimes, including phishing attacks, identity theft and various extortion schemes, according to the study. And used USBs may also include malware as well.
When users attempt to remove or delete their data from a USB device before selling it, they're rarely successful, the small-scale study shows. In the case of the 100 USB devices from the U.S., only 18 were wiped clean using a data erase tool, the report found.
Of the remaining U.S. devices:
- Eight were formatted, but data could be recovered "with minimal effort"
- Some 64 of the USBs had data deleted, but it could easily be recovered
- And for one of the USBs, purchased, the user obviously had made no attempt to delete the data.
Among the U.S. USB drives, the researchers found six that could not be read using the tools that the team had available.
The U.K. devices didn't fare much better. The team found that 19 previous owners apparently had made no attempt to delete the data, while 47 devices had data deleted but researchers could recover it using various tools. Another 16 were formatted, but the data could still be found. Only 16 were properly wiped and one was encrypted.
About the only significant difference between the U.S. and U.K. devices was the type of information each contained. In the U.S., it was more common to find business documents on the USBs, while the U.K. devices contained more personal information.
The other jarring issue that the researchers note is that many of the tools that can properly wipe and clean a USB drive are readily available and, in most cases, free.
In general, USBs, whether new or used, pose serious security risks.
Back in 2017, the loss of one USB drive that contained highly sensitive data related to Heathrow Airport cost the company that owns the airport a fine of £120,000 ($155,000), after a government watchdog investigated. An employee lost the device, which was then found on the street by a pedestrian. That data was not password protected or encrypted, a report found.
To mitigate USB-related risks, IBM banned USBs and other portable storage drives from its corporate network in 2018 and told employees to use the company's cloud-based system instead if they wanted to share documents or review data outside work.
But despite the risks, USBs remain ubiquitous, especially at trade shows.
At the recent RSA Conference in San Francisco, numerous companies passed out and used USB drives, Mukul Kumar, the CISO and vice president of cyber practice at Cavirin, a Santa Clara, California-based security company, tells me.
"There were far too many USBs given out, and I'm not sure how many 'security' companies checked these for malware before loading their collateral," he says.
The use, or misuse, of USB drives is a two-fold security problem, Kumar says.
"There are two separate issues. The first is the data on the drives, and the second is potential malware," Kumar added. "Though there have been a few high-profile examples of companies restricting access - IBM is an example - the majority of enterprises still don't maintain this level of control over their employees' desktops, to their own peril. Smaller organizations, less able to recover from a breach, are probably the most vulnerable."
Meanwhile, if you're determined to continue using USBs, Kumar urges an obvious step: Encrypt the data.