Simson Garfinkel, a postdoctorate fellow at Harvard's Center for Research on Computation and Society, researched the issue by buying more than 1,000 hard drives on eBay to see what sort of data could be gleaned from them. He found disk drives that held information from an ATM; a medical center (the drive held 31,000 credit card numbers); a supermarket credit card processor; and a travel agency that had discarded data on travel plans, credit card numbers and ticket numbers. "One of the drives had consumer credit applications on it, -- names, work histories, Social Security numbers -- all the information you need to apply for credit."

Even though drives may have been wiped of data, someone with the know-how and patience could still retrieve information, Garfinkel said. Standard tools such as Format and Del simply remove the reference to the files -- the data is still there. Garfinkel himself has written a number of tools to retrieve information such as email addresses and credit card numbers on wiped disks.

Despite his findings, Garfinkel said companies seem to be doing a better job protecting data, and he pointed to the Fair and Accurate Credit Transactions Act as a possible reason. "The percentage of drives out there that have usable data is going down, so companies are more aware of the issue," he said.

Similarly, when Houghton's company has done an audit on clients' supposedly wiped disk drives, 25 percent to 30 percent of them still had readable data, he said.

Idaho Power said in the future it would destroy drives rather than sell them for salvage -- a policy Garfinkel backs. "The resale value of a hard drive is really minuscule, and it's easy to verify it's been destroyed," he said. "These things are worth $5 to $20 each. I don't think anyone's buying them on the secondary market for extortion, but you never know."