A new phone or laptop is expensive. So you trade in an old one to fund the upgrade. Straightforward, right? And thousands of businesses do the same every year. But that means there’s a whole big world out there of resold devices that may still have more of your data on them than they are supposed to. A lot more.

A new study (PDF), conducted by the Blancco Technology Group, finds that a staggering amount of personal and confidential information is retrievable from used, resold, or refurbished devices that have supposedly been wiped. Of the 200 devices they tested, 78% — more than three-quarters — had some kind of residual data on them that should not have been there.

Now, it’s worth remembering that the study was conducted by a firm that makes their money from promising secure data erasure — so they have a strong and vested interest in these results. (“Hey, your data isn’t erased. Hire us!”) Even so, though, the numbers are surprisingly high.

The study looked at a total of 200 device drives acquired during the first quarter of 2016. Of the bunch, 8% were solid-state drives (the newer, smaller, faster drives you find in modern laptops and increasingly in desktop PCs) and the remainder were standard magnetic hard drives. All of the drives were bought on eBay or Craigslist, and were randomly chosen, basically, for being available.

67% of the drives, in total, had some kind of personally identifiable information on them, including:

43% of the drives had photos

24% of the drives had GPS data (including photos with GPS data)

23% of the drives had social security numbers

21% of the drives had financial data

10% of the drives had resumes

That’s a lot of very personal information that could be used in a great many damaging ways, and while maybe not all photos or resumes are deeply personal, the fact that roughly a quarter of the drives they searched through had social security numbers on them should be worrying to basically anyone who’s tossed any of their old digital hardware.

Another 11% of the drives had retrievable corporate data on them — and some of that was individual data, too. 9% of the drives had business e-mail on them, 5% had readable spreadsheets of some kind, and 3% had retained customer data.

So why were so many drives still so rife with information that shouldn’t have been in random strangers’ hands? Part of it is the difference between “deleting” data and “erasing” data, the report points out. When you delete a file on a computer by dragging it to the Trash or Recycle Bin, or by using the delete key, that doesn’t actually destroy the data.

Formatting a drive does erase the data on it, but not all format commands are created equal. A quick format — used on 40% of the drives in the sample — still leaves some residual data kicking around to be accessed. A full format — used on 14% of the drives — will do you a little better, but may still miss crucial information.

Naturally, Blancco recommends purchasing a tool to do complete data erasure. And of course, they are happy to sell you their service to do just that. Still, they’re not necessarily wrong. Digital data can be highly sensitive and personal, and it can be harder and harder to guarantee the destruction of on your own. And for businesses, who can lose all of their customers’ valuable data as well, investing in doing it right is a better call than not doing it at all.