Beware the skeletons in your reformatted hard drive

Passport details, credit card information and even nude pictures were found by the programme Trash Trail on second-hand hard drives sold at Sim Lim Square.

SINGAPORE: Delete all personal information on computer – check. Reformat hard drive – check. Send hard drive to IT shop to clean it again – check.

After all those preventive steps, you would think that all your personal data including private pictures, bank and credit cards details would be wiped and safe from prying eyes.

Well, think again.

Channel NewsAsia documentary The Trash Trail investigated and discovered nude pictures, passport details and even blueprints from a marine engineering company on hard drives that had been reformatted and declared ‘clean’, before being re-sold to consumers.

The documentary also surveyed 1,000 Singaporeans to find out what they did to their electronic devices such as computers and tablets before discarding them – and surprisingly, about 24 per cent of them did nothing, while 37 per cent only reformatted it once.

The episode airs on Monday, Feb 20, at 8pm (SG/HK).

To find out if one’s information is truly deleted from used hard drives, Trash Trail producers bought nine used hard drives from different shops at Sim Lim Square. All the shops said the hard drives had been reformatted, with all information erased.

WATCH: The investigation (2:29)

One salesman said: “(Sometimes) the users’ computer is not able to start up, so they cannot clean it up. When we purchase it, we will use our software to clean it up, to make sure it’s empty before we sell it second-hand.”

The nine hard drives were handed over to Associate Professor Biplab Sikdar from the department of Electrical and Computer Engineering at the National University of Singapore to evaluate. He specialises in how data can be safely transferred, stored and accessed.

The results were shocking. Dr Sikdar found personal information on five of the hard drives, including three that had compromising personal photos on them.

They included nude pictures of someone who had presumably gone for plastic surgery. “Personally, I was very shocked to find these kind of … embarrassing and compromising pictures,” he said. “If it went to the wrong person, they might easily blackmail you.”

He also found the passport details of a person with his date of birth, medical records and another person’s bank details – all of which could be used to steal someone’s identity.

And he retrieved sensitive corporate materials from two hard-drives which once belonged to a big offshore marine engineering firm.

“They make ships. And what surprised me was that I found blueprints for the ships here.

“I would have thought that an industry, when they’re disposing of their older laptops, they would be more careful in cleaning up their stuff,” he said, adding that the information could potentially be used for fraud or corporate espionage.

While Dr Sikdar verified that all the nine hard drives had been reformatted, he was able to use software that is easily found online to extract the information.

“Think of your disk like a library… When you delete or format your disk, what happens is that the catalogue is gone. But the books are still there,” he said.

There are several ways to completely destroy your data on a hard drive, he said.

This includes degaussing the hard drive with a powerful magnet at a computer centre to wipe them clean, using software to overwrite all the info, or smashing the hard drive to bits.


But there is personal data floating around online that is even trickier or impossible to get rid of – particularly on e-commerce websites.

Many consumers typically provide their personal details such as phone numbers, credit card details and addresses when signing up at such websites. But deleting their accounts is not so simple.

Singapore online shopping site Ezbuy’s co-founder Wendy Liu said that it is not possible for consumers to completely delete their account. Deleting the app on one’s mobile device only gets rid of the app and some temporary data stored.

“But when you install it again, everything from your payment to your order history will still be there.

We have to make sure (these) are kept in our database safely for five years. It is a legal requirement,” she said.

Ms Liu assured Trash Trail that all the data is safeguarded in a database server which has limited access and is equipped with firewalls and encryption. Credit card information is usually stored with a third party.

With more organisations collecting personal data, the Personal Data Protection Act (PDPA) was enacted in Singapore in 2012 which regulates how one’s personal data can be collected, used, disclosed and maintained by organisations.

Christopher Chan, head of legal and government affairs at online grocer RedMart, said that under the PDPA, companies are allowed to keep their data on a consumer for legal purposes or account purposes for a certain number of years.

This is so that if there’s an investigation against the company or customers, or of financial fraud, they need to keep that information accessible so that they can report to the authorities.

He said: “So it doesn’t actually get deleted, but it gets held back with restricted access to it.

“It’s almost impossible to delete all your information online. There’s always going to be some remnant or trace of it.”

Related Articles

ThriveDX: Meet-and-Greet with Partners in Jakarta

ThriveDX organised a Meet-and-Greet session at Kedai Kopi Tenong in Jakarta, together with PT Mega Cyber Security on September 5th. Thank you to the partners who attended the event: PT Alumagubi Raya Indonesia – Franky Yap, Robby Hartana Docotel – Nico Amon, Yudis Tuasamu PT Global Intikarya Sejahtera (GIS) – Ronald Romein, Lhesli Wuisang Nusantara […]

DT Asia 15th Anniversary

15 amazing years of delivering innovative cybersecurity technology and solutions across Asia Pacific since 2007! DT Asia is proud to say we have come far on our journey, where we have achieved incredible growth milestones in Asia – and we did not do it alone. Our accomplishments today are only possible because of the continuous support from our partners, […]

This Month in Cybersecurity: The Weather is Heating Up and So Are Cyberattacks

At the time of writing, much of Europe and the U.S. is in the midst of a major heatwave, delivering record temperatures and concerns about climate change. Just as the heat is rising, so is the threat of cyberattacks. New data has emerged that reveals 2022 is looking like it could be the worst year […]

IndoSec 2022 : Indonesia’s Premier Cyber Security Summit – Mega Cyber Security

DT Asia Pte Ltd is proud to be one of the keystone sponsors together with Yubico & ThriveDX to PT Mega Cyber Security in this upcoming IndoSec 2022 event on 6-7 September 2022. Based in Jakarta, PT Mega Cyber Security is our joint venture partner and will be participating in this event showcasing Yubico and […]

Accelerate YubiKey adoption at scale

  ‘You are breached’ is a phrase that no security or business executive wants to hear. Cyberattacks targeting critical infrastructure and data are an issue facing every industry, and any critical systems and applications that aren’t protected by phishing-resistant multi-factor authentication (MFA) creates a security threat gap. Closing the gap requires the highest levels of […]

Contact DT Asia Group Hong Kong

Address: Unit 929, Kowloon Bay Industrial Centre,
15 Wang Hoi Road, Kowloon Bay, Hong Kong
Tel: +852 58010001

Like Our Facebook Page :)