Fraudsters buying second-hand corporate laptops to commit fraud

Fraudsters buying second-hand corporate laptops to commit fraud

The fraudsters of today aren’t the same as those of yesterday. The present-day fraudster is a continuously-evolving individual who observes current tr

Navigating the Maze: A Beginner’s Guide to UK Business Regulations for Online Shops
Why You Should Be Using PPC Marketing in Your Business
Boost Your Digital Efficiency With PDFSmart

The fraudsters of today aren’t the same as those of yesterday. The present-day fraudster is a continuously-evolving individual who observes current trends and developments in order to identify what weaknesses they can exploit. One weakness of businesses that is presently being taken advantage of is the careless disposal of corporate laptops.

By purchasing second-hand laptops and computers from corporations, fraudsters can recover and steal sensitive information that the corporation either failed to delete from the system, or wrongly believed to be wiped.

With the help of data recovery software, some of which can be accessed for free via the internet, a fraudster can retrieve bank statements, passwords, bank logins, email accounts, and other sensitive information from the old and discarded company computers. Most of the time, the companies believe that these discarded computers have been completely wiped clean. In reality, they still contain an abundance of sensitive information.

Even laptops that have allegedly been formatted can still have sensitive data retrieved from them. In one scenario, Kaspersky technicians were able to retrieve personal information from three second-hand computers that were recently purchased and believed to have been “formatted”. From one of the computers, they were able to retrieve 117 usernames and passwords for email accounts and websites, as well as pictures and other personal media.

If this much information could be retrieved from the discarded personal computer of an individual, one can only imagine how much information could be retrieved from a second-hand purchased computer used by a company in the past.

A treasure trove for fraudsters

A significant number of the hard drives that are currently available on the open market still hold sensitive and recoverable data. You just need the right tools to access the information, especially if the hard drive was formerly used by a corporate body. Today’s fraudsters have these tools at their disposal and are more than happy to use them.

An Information Commissioner’s Office (ICO) report indicated that from more than 200 hard drives that were sold during an auction, almost half of them still carried personal data from the original owner. 11% of these drives contained information that was sensitive enough to be utilised for fraud or identity theft. Also, at least two of the drives contained passport screenshots, bank statements, and medical records.

In a different study carried out by Dr. Simson Garfinkel, 236 hard drives were purchased from eBay. Keep in mind that more than a thousand hard drives are sold every day on eBay. Garfinkel’s study revealed that:

  • Seven of the hard drives contained more than 300 credit card numbers that were recoverable.
  • A mere 19% of the hard drives were wiped completely.
  • One of the drives was an ATM drive that contained 827 unique PIN numbers.
  • Another of the hard drives came from a medical centre and contained more than 11,000 unique pieces of patient information and credit card numbers.

If you run a business and want to get rid of a computer that you have used for company operations, simply pushing the delete button before throwing the computer out is not enough. In fact, your company could be in breach of the EU General Data Protection Regulation (GDPR). Under the new regime, you could potentially be fined up to €20 million, or 4% of your annual global turnover, (depending on which is higher), if your old hard drives or computers are used by cybercriminals to release data on EU citizens.

Even employees who use personal computers for work-related activities are another potential goldmine for hackers if they then sell the computer.

How corporations can protect their sensitive data when discarding old or faulty computers and hard drives

For a company to effectively protect confidential data stored on a computer it intends on giving away or selling, the computer and its hard drive need to be completely wiped. And wipe doesn’t mean a standard quick “format”.

Nowadays, the delete button is more or less ineffective if your aim is complete security and peace of mind. For true security concerning the safety of your corporate data before discarding or selling your old corporate laptop, take advantage of the following steps to avoid the risk of sensitive information being stolen.

Back up your data

Naturally your first step should be to back up all your important data to another storage device before wiping a system clean. You can transfer the data to another hard drive or simply back it up onto the cloud. This is why having a go-to-client cloud database software system in place for business’ such as IFAs and Mortgage Brokers is so important, data will not get lost and it increases a business’ efficiency.

Use software to wipe your drive

There is a variety of specialised software out there that you can use to permanently erase all files or specific files from your hard drive. Once you use this software, the chances of the erased documents being retrievable are slim to none, even with the use of data recovery software.

Physically wipe your hard drive

While using a specialised program to erase files should work, there is no guarantee every file is irretrievable. For a more thorough clean-up that takes no chances, you can take additional measures by physically wiping the hard drive of the corporate laptop. This can be done by opening up the computer and taking out the hard drive. The hard drive should then be rubbed with a rare earth magnet. Alternatively, you could just smash the extracted hard drive to bits, if you have no intention of selling it.

Perform a fresh operating system installation

If you choose to simply use a program to wipe your hard drive instead of getting physical, then the next step will be to completely rewrite the entire hard drive with a complete installation of the system’s original operating system. This will restore the system to its original state and write over data entered into the system while your company was using it.

In conclusion

“Improperly discarded corporate laptops are quite commonplace and fraudsters are profiting from them. For the sake of you and your corporation’s safety, it is wise to effectively and correctly wipe your hard drive before disposing of the computer. Your corporation’s personal data should never leave the company on a discarded laptop.” states Advanced Data Recovery.

In all honesty, the only way to ensure that a fraudster can never retrieve information from an old company computer is to take out the hard drive and destroy it. It pays to play it safe, so do the right thing.

COMMENTS