Ask Slashdot: How To Deal With Refurbed Drives With Customer Data? 385
An anonymous reader writes "I just received 3 'refurbished' SATA drives from Newegg. All 3 had some sort of existing partition. Most appeared to be factory diagnostic partitions, but one had a full Dell Windows XP install complete with customer data. How big a deal is this? Should I contact someone besides Newegg about this?"
Data Breach (Score:5, Insightful)
Technically it qualifies as a Data Breach Incident. Depending on the industry the original drive belonged to shit could hit the fan.
The fault lies entirely with the original owner for not wiping the hard drive before returning the equipment. NewEgg is ot in the data wiping business.
Of course the easiest thing for you to do would simply be to repartition it and reformat it.
Re:Data Breach (Score:4, Insightful)
So - then are you saying that you should never RMA a failed HD? Because if NewEgg doesn't wipe drives as part of the refurbishment, then you can never send a drive back.
Re:I've gotten "new" drives from Newegg and Amazon (Score:5, Insightful)
That is a good reason to buy drives from Amazon.
So Amazon selling used drives labeled as new is a good reason to buy from them? Sounds to me that you need a new vendor. And if you're buying 210 drives a year (one used drive every 30, and you see 7 used drives a year), I highly recommend you get some sort of direct wholesale or resellers account instead.
Re:Two choices... (Score:5, Insightful)
Is it Newegg's job to wipe the drives?
I would have thought it's up to the original owner to make sure there's nothing important on there.
Re:Two choices... (Score:2, Insightful)
Re:Two choices... (Score:4, Insightful)
Suddenly you're in a whole new world of hurt that involves trying to prove to a justice system that goes for the simplest possible answer that you didn't put it there...
Re:Two choices... (Score:5, Insightful)
Refurbished drives usually mean the drive failed, was sent in for repair and now is being resold. You can wipe a failed drive? If the motor died, how can you wipe it? The average person does not have the utilities to wipes a failed drive. Whoever refurbished the drive should have wiped it, not newegg.
Re:knowledge is power (Score:5, Insightful)
Re:Two choices... (Score:4, Insightful)
If the drive is truly "refurbished" NewEgg or its supplier should be testing the drive and in the process of testing the data should be wiped. Yes, I know that a "refurbished" drive has not been fixes but at least it should be tested and wiped to ensure that it meets OEM specifications.
Comment removed (Score:5, Insightful)
Re:knowledge is power (Score:5, Insightful)
First, have a look at the data. Then decide.
Just because you have it doesn't justify any actions you take based upon it. Erase it. Make sure it's completely gone. Then notify Newegg their Refurbies are morons, putting them at legal risk, as well.
What really happened (Score:4, Insightful)
Re:knowledge is power (Score:4, Insightful)
Knowledge can be quite a burden, too.
YMMV.
Re:Two choices... (Score:5, Insightful)
This drive was not refurbished . At best it was put through a cursory test and passed. Newegg failed twice: once, not actually refurbishing the drive , and second not wrong it. Dishonest and incompetent in one pass.
Or their outsourced team, still responsible.
Re:knowledge is power (Score:3, Insightful)
Re:knowledge is power (Score:5, Insightful)
*this*
encrypt your drive before it fails, because once it fails you can not control the data if you want to return the drive.
I have eaten drives before rather than warranty returns because the data was sensitive (IMHO) and I do not trust every person in the chain to not snoop on the drive's contents.
-nB
Re:Christmas Ornaments (Score:4, Insightful)
Even if it was still under warranty? For a decent-sized drive, that's giving up over a hundred dollars that the manufacturer rightfully owes you for selling a defective product.
Re:knowledge is power (Score:5, Insightful)
Why do I have to be the first to say it?
Format the drive. Store data on it. Move on with your life. It's a non-issue. Quit being a drama queen.
Re:Data Breach (Score:2, Insightful)
I haven't had to return a consumer hard drive (yet), do they have to be returned in working order? If not, then I'd open it up and physically scrape a screwdriver across the platters.
Ever read the standard warranty terms?
To open the drive you have to break the "warranty void if removed" sticker/foil. Either it's covering a screw to prevent opening the drive, or there's enough stickers you can't just open it without making it obvious you did.
Return it to them in that condition, and they'll either say "no coverage" and refuse to ship it back, or they'll insist you can only have a replacement at full retail cost.
Must Wipe It (Score:5, Insightful)
No decision needed. Look all you want, but the liability is on you if someone decides your computer is of interest and data is questionable. Unless you report it to vender in a verifiable way, data on the drive, even if it was not yours, is now yours in any examination. Report it in writing or no evidence will exist to point in someone else's direction for liability.
Wiping beyond technological limits of retrieval is important with both criminal liabilities and civil copyright liabilities. The odds of old data being a problem in your life may be low, but it would be icing on the cake with any situation bringing your drive to the attention of some types of investigations.
Call it paranoia if you like, but why drive around in your new used-car with a suitcase in the trunk that came with the car without knowing precisely what is inside. Remove the suitcase, or examine every square inch of it looking for contraband..
Re:knowledge is power (Score:4, Insightful)
First, the information never should have been on the drive anyway.
How do you know this? Someone along the line should have deleted it but didn't. Maybe the drive wasn't in working order when it was returned. Maybe the tech just forgot to format it before sending it back. Former CIA chiel John Deutch was found to have classified files on his personal, unsecured computer [prnewswire.com] even though CIA techs provided him with a secure one.
If somewhere down the line an investigation gets fired up to go into where all those missing drives went you can bet your ass they'll be knocking on your door, taking your drives (probably more than just the refurbished one), and asking a lot of questions (that are a lot easier to answer honestly than with little white lies). Second, most classified information is classified for a reason. If someone out there is selling drives with classified information on them, that's what we call a bad thing. Yeah, it's going to be a headache for you, but it's the kind of thing that really shouldn't be happening.
Your drives will be seized regardless in your scenario whether you looked at the data or not. The government may inspect them to see if the data still exists. A simple format will not truly erase all the data. If your SOP is to format all HDDs when you get them and never look at the data you are far safer. I don't know if the government can technically determine you looked at the data through computer forensics or more conventional means (interogation) but you are far better off never knowing the contents.
Re:knowledge is power (Score:4, Insightful)
You're probably right on that count. I was thinking that if you tell a vendor they sent you customer data without offering some form of proof, you're very likely to get a nonsense reply that adds up to "No, we didn't." To be clear, if there's anything with a mandatory reporting requirement, I do agree that you DO turn it in. When you don't, you ARE guilty of a crime.
Maybe the question is "What do you want to accomplish?" Get on with your life? Then just wipe the drive. Hold the vendor accountable? That gets messy. I'll still stick with "Wipe your own data." If you mail your data to someone, assume they WILL disclose it.