June 5, 2006 at 6:00 AM ET
One year ago, Hank Gerbus had his hard drive replaced at a Best Buy store in Cincinnati. Six months ago, he received one of the most disturbing phone calls of his life.
"Mr. Gerbus," Gerbus recalls a stranger named Ed telling him. "I just bought your hard drive in Chicago."
Gerbus, a 77-year-old retiree, was alarmed. He knew the old hard drive was loaded with his personal information -- his Social Security number, account numbers and details of his retirement investments. But that's not all. The computer also included data on his wife, Roma, and their children and grandchildren, including some of their Social Security numbers.
In June 2005, when Gerbus took his computer to Best Buy for repairs after a hard drive crash, he knew the drive was a potential hot potato. So when a clerk there told him it had to be replaced, he asked for the damaged hardware back.
No dice. The replacement was done for free, under warranty, and Gerbus was told the old drive had to be sent to a repair center in Chicago to fulfill warranty terms.
"I asked in the store on two or three occasions. ... I was very concerned," he said. "But they said 'we can't give you the old one because it's under warranty.'"
Gerbus said he was assured that, after verifying the warranty, workers in Chicago would drill holes through the drive and make it unusable.
Hank Gerbus, 77, says he has no idea who might have had access to the drive containing a trove of his family's personal information. Photo: WLWT-TV
Tracked down in Florida
Gerbus' hard drive did make it to Chicago. But instead of being destroyed, it landed in Ed's hands. In January, Ed tracked down the Gerbus family at the couple's winter home in Florida, and placed that disturbing call.
"The only way he would have had my Florida number was if he had my hard drive," Henry Gerbus said.
Ed told Mr. Gerbus he'd purchased the drive at a flea market for $25, Hank Gerbus recalls. The two made arrangements to return the hardware to its rightful owner. But Gerbus has no idea who else might have seen the personal information in the interim.
"From June (2005) to January, I don't know where it was," he said. "That's why I am so concerned."
A Best Buy spokeswoman didn't dispute the details of Gerbus' story, but wouldn't answer questions about the incident.
"The allegations are very disturbing, as they are inconsistent with our standard procedures for disposing used hard drives," the company said in a statement said. "The allegations, if true, would be intolerable. ... We are vigorously investigating."
That vigorous investigation, however, apparently didn't begin in February when Gerbus said he called Best Buy to complain. It seems to have begun just last week, when Gerbus' story was first told by reporter Tom Sussi of WLWT-TV, a Cincinnati-based NBC affiliate.
Gerbus has asked Best Buy to pay for identity theft insurance for him and his family. He says the firm so far has offered him only a $250 Best Buy gift card as compensation.
Hard drives not properly trashed
It's not clear why the drive wasn't destroyed, and how it apparently ended up on the resale market. But Gerbus' tale of the nemesis of old hard drives is no isolated incident. There have been several celebrated cases of researchers buying hard drives at used equipment stores and discovering critical data on them.
In the most dramatic example, in 2002-2003 MIT researcher Simson Garfinkel examined 129 used hard drives purchased from a variety of outlets. Only 12 had been completely cleared of data. The other drives contained thousands of documents with critical information -- one had 3,722 credit card numbers on it. Another had been used to power an ATM machine and contained sensitive bank data.
To retrieve some of that data, Garfinkel and colleague Abhi Shelat had to use advanced techniques -- but their demonstration showed old hard drives are often disposed of improperly. Simple deletion of data is not enough, as there are a variety of techniques that can be used to recover it. And data can be retrieved even from drives that have crashed, like Gerbus', using similar techniques.
On the other hand, drilling holes through a hard drive -- and specifically the platter inside -- is quite effective.
Too bad in Gerbus' case that wasn't done.
What's the lesson here? Perhaps when you bring in a computer for service, it wouldn't be a bad idea to bring your own drill. Just in case.