The fateful sale of a hard disk

In 2023, Thomas K. was a respected senior data scientist at a European fintech company. He handled sensitive financial data every day and regularly gave internal talks on cybersecurity and privacy. Ironically, the biggest security incident of his career started at home – with his own gaming PC.

Thomas wanted to upgrade his setup and decided to sell his old high-end machine on eBay Kleinanzeigen. To “be safe,” he pulled the 4 TB SSD, connected it to another computer, and ran a quick Windows format. “Good enough,” he thought. After all, he was a professional. What he didn’t realize: a standard format does not securely erase data. The file system table is reset, but the actual data remains on the drive, fully recoverable with the right tools.

A few days later, the buyer appeared: Alex, a 28-year-old IT freelancer with an interest in data recovery – and a very flexible moral compass. When the PC arrived without a drive, Alex casually asked if Thomas still had the original SSD.

“Sure, I can throw it in for free,” Thomas replied. A nice gesture, a few extra euros saved. And the first step into a nightmare.

“Pay 14,000 € in Bitcoin – or we go public.”

Two days after the SSD arrived, Alex connected it to his forensic workstation and started a scan with professional recovery software. Within minutes, the drive “came back to life”:

• online banking credentials
• tax documents and contracts
• internal project files and code
• tens of thousands of private photos

And then the worst find: an unencrypted folder containing intimate photos of Thomas’s two ex-girlfriends from years earlier – clearly never meant to leave his private devices.

That same evening, Thomas received an anonymous e-mail from a throwaway account. Attached were three of those photos, plus a message:

“We have your entire SSD.
Pay 14,000 € in Bitcoin within 72 hours –
or your employer, your family and several media outlets receive everything.”

Thomas froze. He knew exactly what such a leak could mean: reputational damage, potential disciplinary action at work, even legal trouble over the photos of his ex-partners. For someone who always preached security, it was a devastating moment.

The desperate search for a solution

In panic, Thomas spent the night searching the web for ways to “erase a drive so that no one can recover it.” He read about overwriting procedures, ATA Secure Erase, and specialized data-erasure tools. Eventually, he purchased iShredder™ for Windows from Protectstar™ – a tool designed exactly for securely wiping drives.

And that’s when the full absurdity of his situation hit him:
No matter how good the erasure software was – the SSD was already 400 km away in Alex’s apartment. The secure wipe would have had to happen before the sale, not after.

For a moment he considered paying. Then the professional in him took over. Blackmailers rarely stop after the first payment. And if the case ever came out, paying might even look worse.

Thomas documented all e-mails, wallet addresses and headers and went to the police.

Digital forensics vs. the blackmailer

The police took the case seriously: extortion based on intimate material and sensitive data is a criminal offense. An investigation was opened, referencing § 253 StGB (extortion) and related data protection aspects.

Over the next weeks, investigators traced the Bitcoin wallet activity and e-mail metadata. Combined with the eBay Kleinanzeigen records, it didn’t take long to narrow things down to Alex.

A house search followed. Officers seized several devices, including:

• the original 4 TB SSD
• two external drives with encrypted backups
• an old laptop that Alex used for other “projects”

Digital forensics showed that the SSD had been fully imaged and backed up. On the laptop, analysts even found leftovers of the recovered intimate photos in thumbnail caches – despite Alex claiming he had “deleted everything already.”

In the end, Alex received a suspended sentence and a substantial fine. The court explicitly noted the severity of abusing recovered private data for blackmail.

Consequences for Thomas

For Thomas, the incident still had a high price. His employer’s legal and HR departments had to be informed. He had a long, very uncomfortable meeting in which he had to explain:

• why unencrypted private data ended up on a drive he sold
• why intimate images of third parties were stored without any protection
• and how this could be reconciled with his role as an internal security “champion”

He kept his job – narrowly. But his credibility took a hit, especially among colleagues who had heard him lecture about “data minimization” and “secure disposal of hardware.”

From cautionary tale to teaching tool

The experience fundamentally changed Thomas. He realized that his mistake had not been a technical one, but one of attitude: “It won’t happen to me.”
From that point on, every security training he gave started with the same slide:

A high-resolution photo of his old SSD.
Caption: “This almost cost me everything.”

He openly shared what had happened and what he had done wrong. Instead of hiding the incident, he turned it into a case study:

why a quick format is digital illusion of safety

how easy it is for attackers – or just curious buyers – to recover data from used drives

and why secure erasure and encryption are non-negotiable before selling or disposing of hardware

What Thomas wishes he had done

Looking back, Thomas summarizes his lessons in a simple checklist:

• Quick format ≠ secure deletion
  A normal or even “full” format usually doesn’t overwrite the actual data, especially on SSDs. It just resets structures so the OS considers the space “free.”
• For HDDs (mechanical drives):
  Use a multi-pass overwrite procedure or professional wiping tools. The goal is to physically overwrite the old data areas.
• For SSDs and NVMe drives:
  Use the manufacturer’s secure-erase tools or standard commands like ATA Secure Erase / NVMe Sanitize. Good software – such as iShredder™ – can trigger these commands correctly and make sure all usable cells are wiped.
• Encrypt first, then erase
  If the drive is encrypted from day one (BitLocker, FileVault, LUKS, VeraCrypt etc.), the risk is dramatically reduced. If the key is destroyed, the data is effectively useless – even if someone recovers the raw blocks.
• Never store intimate material unencrypted
  Not on laptops, not on external drives, not on “old disks in a drawer.” If it must exist at all, then only in encrypted containers or dedicated secure apps.

Today, Thomas uses specialized data erasure tools before any drive or device leaves his home – not after. He also made it a principle to encrypt new devices immediately after setup, so that a lost or sold drive can’t turn into another disaster. His story is a reminder that you don’t need to be a hacker to ruin someone’s life; sometimes all it takes is an old SSD, a bit of curiosity – and a careless “quick format.”