“(Mom) was told everything was off there. You can see other areas where items were deleted. In this case, it’s not a big deal because (she gave the phone to) a relative,” the woman explained.
The recipient found a picture of her own son and his fiancée on the device after Verizon had informed its original owner they’d wiped the device clean.
While an engagement photo is a fairly benign bit of data to leave behind, the risks are far greater with most recycled equipment.
The security team at Avast.com knows a thing or two about abandoned data. Since 2014, they’ve been buying used devices to document the risks. In 2014, Avast researchers purchased 20 used phones on Amazon and eBay. They were able to recover over 40,000 photos, emails, and notes on those ‘wiped’ devices. Last month, they released a second report after purchasing phones at pawn shops in four countries.
“All 20 were factory reset and wiped clean,” the authors wrote. “Half the phones still contained data.”
That list included over 2,000 photos including 149 of children, 200 racy photos and one adult video, four business documents and identity data on two former owners. Researchers said outdated Android operating systems on some units were part of the issue. Those devices contained a defective factory reset function. Avast offers a free Anti-Theft app in the Google Play store to make sure your reset is comprehensive.
Photos of an engagement photo are pretty benign compared to other risks. Imagine medical files or payroll information left on a discarded computer. Whether the device was designated for personal or business use, its contents can be a gold mine in the hands of a hacker. Where that data could travel before it’s discovered is anybody’s guess.
In July 2013, an estimated 16,000 current and former employees of Harris County in Texas received letters indicating their data had been compromised. What those letters didn’t explain is how Texas workers’ personal information had ended up half a world away.
Vietnam is where the FBI discovered the data before alerting officials in Houston. The Bureau found critical information including names, dates of birth and Social Security numbers (SSN).
When the FBI or Secret Service gives a business the heads up about a data breach, that normally indicates the data has been used in an undesirable way. In the Harris County case, it’s likely that some recycled office computers or other equipment triggered the data breach. Computers may be deemed obsolete but the data contained on a hard drive is probably just as valuable as the day it was first entered.
It’s your data so don’t trust someone else to erase it. Users about to upgrade a device should do some homework. Many mobile devices have the option to restore factory settings but that’s clearly not a guarantee as the Verizon case illustrates.
It’s a pain but you should double check for any data the restore function might leave behind. Consider the Avast app if you’re an Android fan. Apple offers its own tutorial on how to wipe out a phone or iPad. If you’re recycling a laptop or desk computer, wiping out data you’d rather not share is critical but it may require you to overwrite the hard drive.
At work, there’s even greater risk when a device is recycled. Several years ago, Affinity Health Plan paid over $1,200,000 in fines to the U.S. government after the firm exposed protected health information on 344,500 individuals. Several copy machines had been returned to a leasing agent without having their hard drives erased. Perhaps the employees didn’t even realize that the machines contained hard drive storage.
The Identity Theft Resource Center (ITRC) has warned about the copier problem and other recycling risks for years. Spokeswoman Eva Velasquez recently told NBC News in Los Angeles that crooks know where to look.
“About five years ago, several fraud rings were busted buying recycled copy machines where all the images were saved in the hard drive, and probably the more concerning was police departments had recycled their copy machines and all the photocopies and police reports were in the hands of the criminal element.”
If you’ve ever purchased a recycled device and found it packed with someone’s personal information, we’d like to hear your story. Write to firstname.lastname@example.org.