Disused PCs and notebooks from companies and government agencies often make their way to the online auction platform eBay. It’s a shame when the data on them is not completely deleted. As has now become known, almost 33,000 emails containing sensitive data from the Lübeck Foreigners’ Office ended up on eBay in this way.
Deleted PCs on eBay
The magazine c’t reports of an explosive incident of Michael S., who had shot at the online auction platform eBay in two whole 13 cheap PCs for his company. The PCs of the type Fujitsu D756 SFF were offered by the seller onkellaepi2020 and should actually be delivered without a hard disk.
Actually, because when opening the cases, one of the computers showed an installed hard disk. It was a discarded PC with a yellow dot on the front of the device. When started, it showed that Windows 7 was installed and the desktop had a wallpaper of the Hanseatic City of Lübeck.
Without taking a closer look at the contents, the buyer allegedly removed the hard drive, marked it “scrap” and reported the incident. c’t then examined the hard drive of the PC with the Windows name “LS46-WS-1091” and found that it had apparently been used in the foreigners’ office of the Hanseatic city.
It contained data from the period from January 20, 2016 to June 29, 2021. During this period, new user accounts were also repeatedly created without deleting the previous accounts along with their associated data. A total of 31 accounts were found on the hard drive.
“This sloppiness allowed us to identify without much effort, after all, 18 employees both by name and with their function in the authority,” writes c’t.
Dataset reveals many details
The data set on the hard drive reveals not only details about the employees who used the PC, but also about the working methods of the Foreigners Office of the Hanseatic City of Lübeck.
According to the record, there seems to be a scanner within the office that captures incoming documents and faxes and distributes them to the case workers. These are assembled into files, which can apparently also be downloaded in large quantities directly from the server.
48 complete files, including those on visa applications, were found in one of the user profiles alone during the search. The explosive details were thereby obviously and completely viewable and contained all information such as personal data of all parties involved in the visa application, proof of earnings and assets of German citizens and much more.
“We were able to locate more than 33,400 e-mails with highly explosive content on the data carrier without any effort or use of forensic tools.”
Sensitive data
From a data protection perspective, this eBay sale naturally poses a problem; after all, the find involves highly sensitive data according to Art. 9 of the GDPR, as information about religion, sexual orientation or ethnic origin is noted. According to the law, this information must be protected particularly strictly and may not become public under any circumstances.
The main culprit in this data leak was the use of Microsoft Outlook as an email client. Although the Hanseatic City of Lübeck uses a central server on which all emails are stored, the hidden OST files created in the standard configuration remained. In them Outlook stores every opened or sent message.
How did the PCs end up on eBay?
Marit Hansens, data protection officer for Schleswig-Holstein, reveals the procedure with discarded PCs and data carriers: hard drives with sensitive data must be removed from the computers before they are recycled and then destroyed.
Employees of the Hanseatic City of Lübeck remove the hard drives, affix a yellow dot to the PCs and then hand the computers over to a recycler. According to the recycler, the PC sold on eBay bore a yellow dot, but was not checked further with regard to an installed hard drive.
According to the recycling agreement concluded with the Hanseatic City of Lübeck, the recycler is not supposed to check and open all the computers. Meanwhile, the city remains silent about the incident. Due to the ongoing investigations, questions about the incident cannot currently be answered, as Mayor Jan Lindenau stated.
