Missile data found on hard drives
Sensitive information for shooting down intercontinental missiles as well as bank details and NHS records was found on old computers, researchers say.
Of 300 hard disks bought randomly at computer fairs and an online auction site, 34% still held personal data.
Researchers from BT and the University of Glamorgan bought disks from the UK, America, Germany, France and Australia.
The information was enough to expose individuals and firms to fraud and identity theft, said the researchers.
Professor Andrew Blyth said: "It's not rocket science - we used standard tools to analyse the data".
The research involving the Welsh campus was led by BT's Security Research Centre and included researchers at Edith Cowan University in Australia and Longwood University in the US.
In addition to finding bank account details and medical records, the work unearthed job descriptions and personal identity numbers as well as data about a proposed $50bn currency exchange through Spain.
Details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system was found on a disk bought on eBay.
The missile system, tested as recently as March 2009 following a controversial missile test by North Korea, is designed to destroy long-range intercontinental missiles launched by terrorists or countries the US considers to be "rogue states".
The missile system was designed and built by US defence group Lockheed Martin and the same computer hard disk also revealed security policies and blueprints of facilities at the group, and personal information on employees.
The researchers said a disk from France included security logs from an embassy in Paris, while two disks from the UK appear to have originated from a Scottish health board.
The disks had information from the Monklands and Hairmyres hospitals, part of Lanarkshire health board, and revealed patient medical records, images of x-rays, medical staff shifts and sensitive and confidential staff letters.
Another disk, from a US-based consultant, formerly with a US-based weapons manufacturer, revealed account numbers and details of proposals for the $50bn currency exchange as well as details of business dealings between organisations in the US, Venezuela, Tunisia and Nigeria.
Personal correspondence was also found from a member of a major European bank.
Prof Blyth, an expert in computer forensics and principal lecturer at the University of Glamorgan's faculty of advanced technology, said the results were in line with previous studies which showed 40%-50% of second-hand disks that can be powered up contained sensitive data.
He said: "While it's not getting worse, its not getting any better either.
"It's not rocket science. I could probably take somebody who is 14 or 15 years old and in a day have them doing this."
Dr Andy Jones, head of information security research at BT, said: "It is clear that a majority of organisations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks.
"Businesses also need to be aware that they could also be acting illegally by not disposing of this kind of data properly."
In a statement, Lanarkshire health board said: "This study refers to hard disks which were disposed of in 2006. At that time NHS Lanarkshire had a contractual agreement with an external company for the disposal of computer equipment.
"In this instance the hard drives had been subjected to a basic level of data removal by the company and had then been disposed of inappropriately. This was clearly in breach of contract and was wholly unacceptable."
The board has carried out a review of its policies and now no longer uses external companies to dispose of IT equipment, the statement added.
A spokesman for Lockheed Martin said the company was not aware of any "compromise of data" related to the THAAD programme, and no government or law enforcement agency had notified it of any such loss.
The results of the study, the fourth in a five-year project, will be made available in a paper appearing in the next issue of the Journal of International Commercial Law and Technology (JICLT) 2009. THE BBC