One-in-10 second-hand hard drives still contain the original user’s personal information, suggests an investigation by the UK’s Information Commissioner’s Office (ICO).
It purchased devices from auction sites such as eBay and computer fairs.
Of the 200 hard disks collected, 11% contained personal information.
At least two of the drives had enough information to enable someone to steal the former owners’ identities, the watchdog said.
A separate survey by the ICO indicated that one in 10 people who had disposed of a mobile phone, computer or laptop had not wiped the device.
21% of users now chose to sell their old mobile phones, computers and laptops rather than get rid of them, it suggested. It added that the trend was even more common among 18-24 year-olds among whom the figure rose to 31%.
“We live in a world where personal and company information is a highly valuable commodity,” said Information Commissioner Christopher Graham.
“It is important that people do everything they can to stop their details from falling into the wrong hands.”
The ICO’s study adds to other evidence highlighting the risks of identity fraud.
Over the last three months the UK experienced a 40% increase in the problem when compared to the same period the previous year, according to research by industry fraud body CIFAS.
It says there were nearly 34,000 cases in which criminals used a victim’s name, address or other information to steal money or attempt to steal it.
Banks and their customers were affected as well as phone companies and home shopping networks.
Most of the damage is being done online, the result of spam emails, computer infections or carelessness, allowing scam merchants to gain access to personal details.
And there are instances of mail being intercepted and criminals sifting through the contents of rubbish bins to look for useful information.
In the majority of cases banks or other businesses will bear the initial loss from fraud, though the cost can feed through to higher prices.
For its investigation, the ICO employed computer forensic firm NCC Group to source and scour around 200 hard drives, 20 memory sticks and 10 mobile phones.
Nearly half (48%) contained some information. 11% of the devices held personal information.
Among the 34,000 files found were scanned bank statements, passports, information on previous driving offences and some medical details.
Four of the hard drives came from organisations rather than individuals and contained information about employees and clients, including health and financial details.
All four organisations had been contacted, and had subsequently taken action to securely erase data on old equipment, the ICO said.
One – Safe and Secure Insurances Services Limited – has agreed to introduce further improvements.
“People are in danger of becoming a soft touch for online fraudsters,” warned Mr Graham.
“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.”
In response to its findings, the ICO has published guidance for individuals on how to securely delete information