Simson Garfinkel once forgot to clean out an old hard drive and his father discovered his diary. The mistake led him to try an experiment: buy dozens of used disks and check out their contents. His conclusion: Dumping an old hard drive can be like tossing aside a wallet with the ID still inside.
Mr. Garfinkel and a fellow MIT grad student, Abhi Shelat, trolled through eBay and visited computer shops looking for old hard drives. They paid from $5 to $30 each for 158 of them. Then they dug around for recoverable information.
The pair wrote in an engineering journal, IEEE Security & Privacy, that they found 128 working drives and 69 had recoverable files. Of these, 49 contained "significant personal information." They found corporate memos, love letters, and pornography. The scariest finds were 5,000 credit-card numbers, along with a year's worth of records from an Illinois ATM machine (complete with account numbers).
Techies debate whether users ever can permanently erase data. They agree, however, that destroying a drive (say, with a sledgehammer) destroys the data. The most accepted nondestructive method involves software like CyberScrub, DataGone, and WipeDrive, which overwrite old data with meaningless ones and zeros. Encrypting valuable documents also helps. Mr. Garfinkel and Mr. Shelet argue that software makers should make data destruction easier.