, , ,

Securely disposing of computers with spinning or solid state drives

big-shredderCan someone steal the data off your old computer? The short answer is yes. A determined criminal can grab the bits, including documents, images, spreadsheets, and even passwords.

If you donate, sell or recycle a computer, whoever gets hold of it can recover the information in its hard drive or solid-state storage (SSD). The platform doesn’t matter: Whether its Windows or Linux or Mac OS, you can’t 100% eliminate sensitive data by, say, eliminating user accounts or erasing files!

You can make the job harder by using the computer’s disk utilities to format the hard drive. Be aware, however, that formatting will thwart a casual thief, but not a determined hacker.

The only truly safe way to destroy the data is to physically destroy the storage media. For years, businesses have physically removed and destroyed the hard drives in desktops, servers and laptops. It used to be easy to remove the hard drive: take out a couple of screws, pop open a cover, unplug a cable, and lift the drive right out.

Once the hard drive is identified and removed, you can smash it with a hammer, drill holes in it, even take it apart (which is fun, albeit time-consuming). Some businesses will put the hard drive into an industrial shredder, which is a scaled-up version of an office paper shredder. Some also use magnetism to attempt to destroy the data. Not sure how effective that is, however, and magnets won’t work at all on SSDs.

It’s much harder to remove the storage from today’s ultra-thin, tightly sealed notebooks, such as a Microsoft Surface or Apple MacBook Air, or even from tablets. What if you want to destroy the storage in order to prevent hackers from gaining access? It’s a real challenge.

If you have access to an industrial shredder, an option is to shred the entire computer. It seems wasteful, and I can imagine that it’s not good to shred lithium-ion batteries – many of which are not easily removable, again, as in the Microsoft Surface or Apple MacBook Air. You don’t want those chemicals lying around. Still, that works, and works well.

Note that an industrial shredder is kinda big and expensive – you can see some from SSL World. However, if you live in any sort of medium-sized or larger urban area, you can probably find a shredding service that will destroy the computer right in front of you. I’ve found one such service here in Phoenix, Assured Document Destruction Inc., that claims to be compliant with industry regulations for privacy, such as HIPAA and Sarbanes-Oxley.

Don’t want to shred the whole computer? Let’s say the computer uses a standard hard drive, usually in a 3.5-inch form factor (desktops and servers) or 2.5-inch form factor (notebooks). If you have a set of small screwdrivers, you should be able to dismantle the computer, remove the storage device, and kill it – such as by smashing it with a maul, drilling holes in it, or taking it completely apart. Note that driving over it in your car, while satisfying, may not cause significant damage.

What about solid state storage? The same actually applies with SSDs, but it’s a bit trickier. Sometimes the drive still looks like a standard 2.5-inch hard drive. But sometimes the “solid state drive” is merely a few exposed chips on the motherboard or a smaller circuit board. You’ve got to smash that sucker. Remove it from the computer. Hulk Smash! Break up the circuit board, pulverize the chips. Only then will it be dead dead dead. (Though one could argue that government agencies like the NSA could still put Humpty Dumpty back together again.)

In short: Even if the computer itself seems totally worthless, its storage can be removed, connected to a working computer, and accessed by a skilled techie. If you want to ensure that your data remains private, you must destroy it.

3 replies
  1. Daniel Dern
    Daniel Dern says:

    Alan, what about one of the disk wiping utilities, either wiping free space after you delete (e.g. using ccleaner), or running the disk wipe program from a different drive, or USB-mounting the drive and connecting it to another computer which then runs the wipe program?

    As a stopgap (which I often use), if possible, simply remove the drive(s) and hang onto them, letting the rest of the computer go.

    One other approach I’ve heard, which is to use whole-disk encryption, and, when ready to bye-bye the drive/system, lose the key or whatever. Requires some confidence on your part, I’d imagine….

    • Alan Zeichick
      Alan Zeichick says:

      Daniel – It depends on your paranoia level. Would whole-disk encryption or a disk-wipe utility stop a casual thief? Probably, and might be adequate for a typical consumer. However, I don’t know the quality of data recovery tools available to professionals, state actors, or to “script kiddies” who might be able to access data. If that data is really sensitive to a business, or is governed by strict compliance rules, physical destruction may be the best (or only) acceptable answer.

      And I agree: If you can extract the hard drive or solid state storage, you can let the rest of the machine go. But then what are you going to do with that old hard drive? At some point, you’re going to want to trash it… and that goes back to smashing with a maul, drilling holes, shredding, etc.

  2. Richard Schleh
    Richard Schleh says:

    Many people use internet storage companies such as the “cloud” to store their information. How easy is it for a hacker to gain access to your cloud account off of your hard drive? Would it be safer to back up your computer on a flash drive?

Comments are closed.