USB drive users need to exercise caution when throwing away or recycling those devices, according to a Wednesday study from Comparitech. Researchers at the University of Hertfordshire purchased 200 used USB flash drives–half from the US, half from the UK–to determine how securely data on the drive was stored before being disposed of. Some 68% of drives sourced from the US and 67% sourced in the UK still contained data from previous users, the report found.
The identity of the previous owner of the drives could be determined for 20% of drives from the US and 22% of drives from the UK. In total, 20 drives appear to have had no effort made to delete data, 19 of which were from the UK. Six of the drives from the US could not be accessed.
SEE: Media disposal policy (Tech Pro Research)
Best practices for USB drives
Losing a USB drive is very easy. Whether it falls out of a pocket, is absentmindedly left plugged into a computer, or is swiped by someone with sticky fingers, the risk to your data is quite high. Because of this, encrypting your drive is the best defense to preventing data theft–and protecting drives which are intended for resale, as encrypted data necessarily cannot be read by the new owner.
Additionally, do not plug in random USB drives you find on the street.
How to wipe a USB drive
For Linux and Mac OS X, you can overwrite the entire device with random data using this command from the terminal:
dd if=/dev/urandom of=/dev/sdX bs=1M
You’ll want to replace /dev/sdX with the actual ID of the drive. Be careful to specify the correct drive, to avoid inadvertently overwriting the wrong drive. More than one pass is not necessary, as this is not magnetic media, like a traditional platter hard drive.
After this task completes, use the storage manager for your operating system to format the drive to create a new file system, making the drive usable again. Formatting a drive does not, by itself, erase data from a drive.
On Windows 10, go to “This PC,” and right-click on the drive you want to securely erase. Click “Format…” and uncheck the “Quick Format” box, and click Start.
Wait, who actually sells used USB drives?
Considering that USB flash drives are often given away as (underwhelming) event swag at technology conferences, they have become sufficiently commoditized to the point that attempting to sell them is not worth the effort. Fundamentally, that is not the point–any discarded USB drive should have the data on it securely removed. To borrow a talking point from environmental groups, “there is no ‘away’ to throw something to.”
For best practices on erasing other types of drives, check out Disk wiping and data forensics: Separating myth from science, and Erasing SSDs: Security is an issue.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays