Bamboozled July 14, 2016: Deleting isn’t enough. What your old computer and smartphone say about you

When you get a new computer, smartphone or other device, what do you do with your old one?

Some people give their old electronics to a friend or family member. Others try to sell them.

Whatever you do with yours, there’s a good chance you’ve left behind lots of bread crumbs — or worse — for potential identity thieves, even if you think you’ve deleted it all.

That’s according to a recent study by Blancco Technology Group, a data erasure company.

It analyzed 200 second-hand drives it purchased on eBay and Craigslist in the first quarter of 2016.

The findings were scary for anyone concerned about identity theft.

Some 67 percent of the used drives had personally identifiable information, known as PII, and 11 percent had sensitive corporate date, the company said.

The study found many users don’t realize that “delete doesn’t always mean delete.”

It said for 36 percent of the used drives, users previously tried to wipe the drives by dragging files to the recycle bin or using the delete button, but they still had residual data.

That apparently didn’t do the trick.

A “quick format” didn’t work either. The study found data was still recoverable on 40 percent of those devices.

How to protect yourself if your private information is taken by scammers

This shows there are different levels of data removal, and if you’re not careful, even your tech-savvy neighborhood teenager could recover what you think you’ve deleted.

And that could set you up to be the victim of identity theft.

“Simply removing the hard drive without properly removing the information stored on it could provide criminals an opportunity to purchase these hard drives, or retrieve them potentially from the trash in a modern day version of dumpster diving,” said James Mottola, director of forensic investigations and risk mitigation services for Sobel & Co. in Livingston and the former head of the U.S. Secret Service office in Newark.

Many people do not think twice about any of this information – especially after they delete the files containing this information, said Mitch Feather of Creative Associates, a Madison-based cybersecurity and infrastructure consulting firm.

“Deletion is not the same as erasure and erasure is not the same as secure erasure,” Feather said. “In most cases, people just rely on simple deletion which typically leaves the file largely intact on the hard drive and the sectors used by the deleted file are just marked as available and free space.”

If those sectors do not get overwritten entirely, then the file, or at least parts of the file, remain intact, even if they’re not visible to the average user, Feather said.

“As a result, data harvesting and recovery from old computers, phones, etc. can easily become a treasure trove of information,” Feather said.

Why you should protect the identities of your deceased loved ones

So how do you get rid of the info you don’t want others to see when you get rid of a device?

Feather said the gold standard for hard drive erasure is physical destruction of the hard drive, and with good reason.

“While there are secure deletion tools, there’s a limitation to secure deletion tools,” Feather said. “There is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven’t been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.”

For a computer, if you don’t want to physically destroy the hard drive, the next-best practice is encryption all of the contents on the hard drive, then using a secure erasure tool to wipe the drive, Feather said.

For smart devices, Feather said, make sure the device and storage media are encrypted, then use a secure erasure app, perform a factory reset, and remove the SIM card and any micro SD cards, which said can be kept or physically destroyed.

Such tools are available over-the-counter with software or with apps, he said.

And don’t forget the cloud.

“The only way to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent,” Feather said. “Once a file is stored in the cloud – e.g., via OneDrive, Dropbox or some other file-sharing service — then there’s usually no way to guarantee that it will be deleted forever.”

Have you been Bamboozled? Reach Karin Price Mueller Follow her on Twitter @KPMueller. FindBamboozled on Facebook. Mueller is also the founder of Stay informed and sign up for’s weekly e-newsletter.