Users should pound old hard drives before recycling the bits and pieces, a security analyst warned Monday.
"Remove the disks and crush the cases, making sure that you break or bend the actual platters. Use a hammer," said Richard Stiennon of IT-Harvest.
Stiennon's recommendation was prompted, by BBC reports that Nigerian fraudsters have been buying recycled hard drives from the U.K., then diving into the data in search of usernames and passwords for accessing online bank accounts. According the BBC, drives are sold in the West African country's commercial capital of Lagos for as little as 20 pounds ($37.87). Many of the drives the BBC found in Lagos came from U.K.-based recycling companies.
"This goes beyond the casual discovery of critical information," Stiennon said. "Cyber thieves are well-equipped to use forensic tools to recover deleted files."
Nigeria is notorious for harboring identity thieves, who typically run elaborate scams that involve supposedly dead or dying millionaires, money transfers, and pleading innocents. Dubbed "419" schemes for the section of the Nigerian criminal code they violate, the scams predate e-mail and the Internet, but have boomed because of both. In February, for example, Dutch authorities arrested a dozen Nigerians for operating a 419 ring and bilking North Americans out of $2 million.
Stiennon also cited a report issued last week by British Telecommunications (BT) done by researchers at the University of Glamorgan in Wales and Australia's Edith Cowan University which said a large number of second-hand hard disks contained "significant volumes of sensitive information."
The researchers -- who were repeating their 2005 study -- examined more than 300 drives obtained from the U.K., Australia, North America, and Germany via online auctions, flea markets, and computer fairs. Among the data recovered from the used drives were payroll information, cell phone numbers, invoices, employee names and photos, porn, and details of bank and credit card accounts.
"Companies and individuals need to take disposal of information stored on hard drives more seriously," said Andy Jones, BT's head of security research, in a statement last week when the report was released. "Just from looking at this random sample, it is obvious that there are hard drives on public sale that still contain highly confidential material."
"I'm raising my recommendation for disposing of old PCs because of this new level of attack," said Stiennon. "Totally destroy the hard drives."
It's not that other methods of destroying data -- such as zapping drives with massive electromagnets or running government-approved eraser programs -- don't do the job, he said.
"The whole managed control approach, where companies have a check-off process before a machine is retired, isn't enough," said Stiennon. "I'm confident in magnets and erasers, but I'm not confident in the process. [Erasing hard drives] just doesn't get done."
By physically removing and destroying the drives, businesses are adding another check to the system. "If a bunch of computers are on the shipping dock and someone notices that they still have their drives, then they'll know the machines aren't to leave. Or if the receiver sees that the drives are intact, he'll know to ask 'did you mean to ship these with hard drives?'" said Stiennon.
Erasing a drive with for-free or low-cost software -- Stiennon, who once worked for Webroot, recommended that company's $30 Window Washer -- does work in some situations. "If you're giving the PC to a friend or someone in the family, use software to clean it up," he advised.
But in every other instance, for businesses ranging from small to large, he repeated the bash-and-bang recommendation. "Hard drives cost next to nothing. They're one of the cheapest components of a PC and could easily be replaced with a higher capacity, faster disk."
So grab a hammer.
"But always wear safety glasses," Stiennon finished.