Stockholm-based Pointsec Mobile Technologies on Wednesday said it bought 100 laptop computers from a host of Internet and public auctions over the past two months.
The exercise intended to demonstrate that the scores of lost or stolen laptops that wind up at auction every day have hard drives with little or no security, giving identity thieves and fraudsters easy access to lucrative data.
What it did not expect to find was a cache of corporate laptops too that were as easy to crack as grandma's PC.
In all, the firm's technicians were able to pull sensitive details from 70 of the 100 machines it bought.
Vulnerable hard disk
In one case, it obtained a particularly vulnerable hard disk drive from online auction site eBay that apparently once belonged to one of Europe's largest insurance companies.
On the hard disk drive were current details of customers' pension plans, payroll records, personnel details, login codes and administration passwords for the company's Intranet site.
Home addresses, telephone numbers and dates of birth of customers were also listed in 77 Microsoft Excel files, the company said.
"Encryption and other security measures are vital to ensure that security is not compromised"
National Hi-Tech Crime Squad,
"Even when companies or individuals believe they have wiped the hard drive clean, it is blatantly clear how easy it is to retrieve sensitive information from them," said Pointsec CEO Peter Larsson.
Companies usually go to the trouble of wiping a computer hard drive of any sensitive details before discarding them, but even that is not foolproof, Larsson said.
A bigger problem is laptops lost on the train or the airport, which are often auctioned to the public if the owners don't claim them.
From laptops it acquired at an auction from Britain's Gatwick Airport, Pointsec used generic password recovery software - many free varieties are on the Internet - to access information on one in three of them.
It scored a similar rate of success from laptops acquired at auctions in the United States, Germany and Sweden.
In Sweden, the first laptop Pointsec bought at auction contained information about a large food manufacturer and its customers, plus a PowerPoint presentation about a product line.
"Pointsec's research demonstrates just how easy it is to access information which is not adequately protected," said Tony Neate of Britain's National Hi-Tech Crime Squad.
"Encryption and other security measures are vital to ensure that security is not compromised - something as simple as a hard disk drive password can deter the opportunist."