I recently purchased a new hard drive from Amazon to upgrade my desktop.  What I got was something that neither I nor the prior owner wanted.

Yes, prior owner.  When I went to install the drive, I noticed the “safety seal” open.  As a security person, that was concerning, but maybe I opened it earlier and was just having a senior moment.

I plugged it in with a newly purchased USB adapter so I could copy my old hard drive to the new one, then fired up the copying software.  It warned me that the data on my new drive would be erased.  What data on my new drive?  Surely that’s a generic warning.

It wasn’t.  The drive had a prior owner’s data.  A presumably bootable copy of windows, a few apps, and several browsers were all at my disposal.

My first reaction was annoyance that I was sold a used drive as new.  This was “shipped and sold by Amazon”, so it was a name brand drive that I was buying from a known company.  Amazon sells these new or used, and they probably grabbed one from the wrong bin.  Hard drives wear out, and I didn’t want one whose useful life was diminished.  It’s also a fairly modern drive, so there was a concern that the prior owner experienced problems with it before returning.  I definitely didn’t want someone else’s problem.

Then my cyber security experience kicked in. 

Reaction 1: “Great, now I have to scan my system for malware”.  It’s certainly not uncommon for used drives to have a virus.  Simply by plugging it in I could have been infected.

Reaction 2: “What if the adapter I bought was compromised?”  More likely those files were on the disk, since the seal wasn’t intact and they included browsers, but the brand new USB to hard drive adapter is from a company I never heard of.  Any USB device, even USB cables, can be hacked.  Your cable can become both a cable and an infected hard drive.  Would you notice?  Your mouse can become a keyboard that secretly types commands in the background.  Power bricks can (and sometimes do) connect to insecure wifi and grab copies of things like your account logins as they zip by in the air.  Hard drive controllers have been compromised to steal data or infect with malware, my concern here.  Even used routers have arrived with compromised code that sends copies of every online transaction to servers overseas.  Bottom line, don’t plug in anything unless it’s brand new and you know the seller is legitimate. I made a mental note to check the adapter separately.

Reaction 3: “How come the data wasn’t erased?”  Anyone recycling or returning a drive should securely erase their data using a program that overwrites all files.  I didn’t look deeply, but it sure seemed like I had access to the files and browsing history of the prior owner.  Worse, if they stored passwords in their browser I had those too.  Maybe they were lazy and assumed Amazon would erase the drive.  Maybe Amazon was lazy and assumed the prior owner did.  Maybe they both intended to and both screwed up.  The fact remains, if I had bad intentions the prior owner could have been in a world of hurt.  When I take an old spinning drive out of service, it gets a 3 step treatment: hit with a hammer, holes drilled through the media, and then placed in e-waste recycling.  Flash drives get securely erased, broken, and then similarly disposed of.

I’m sending the used drive back to Amazon and a replacement is already on its way.  I plan to inspect it very carefully.