Cash Converters and CEX fail to wipe secondhand smartphones
Failure to wipe personal data leaving phone users vulnerable to fraud, investigation finds.
Two of the UK's biggest pawnbroking chains failed to delete personal data from smartphones, an investigation by Channel 4 News has found.
The news programme's "Data Baby" investigation revealed that Cash Converters and CEX sold phones still containing information from previous owners, despite assurances that the devices would be wiped before being sold on.
Information found on phones sold to investigators included text messages, passwords, credit card details and internet search histories. Other information included photographs of employee documents revealing corporate email addresses and passwords as well as porn sites visited by a teenager. The information could leave previous owners open to fraud, blackmail or identity theft.
The investigation saw Channel 4 News teaming up with IT security firm Sensepost. Glen Wilkinson, a security analyst at the firm, said although the devices looked as if they had been wiped, sensitive data was still present on them and that this data could still be accessible.
"The phones look like they're completely blank, but the data is still there in the memory," said Wilkinson. "You can use software to find it, and that software is freely available for download. I can teach you how to access the data in 10 minutes."
Cash Converters chief executive David Patrick told Channel 4 News that, while the company does wipe all phones before selling them, it knew that under some circumstances it was still possible to retrieve data from the devices.
"All phones are wiped to a standard level and full factory restores are carried out," he said. "It is our understanding that specialist software may still be able to recover certain information stored on the phone, but we do everything in our power to ensure all personal data is removed from the device."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Sven Boddington, vice president of global marketing and client solutions at Teleplan, said retailers need to do more to prevent sensitive information from getting into the wrong hands.
"To say it's worrying to find two of the largest pawnshop chains are selling mobile phones with data still on them is an understatement. As consumers, we are becoming increasingly reliant on our mobile devices, from basic communications, social media, to mobile banking and payment transactions, and therefore the data they carry is more and more sensitive," he said.
"Businesses that process mobile devices such as smartphones and tablets for use as second hand products have a responsibility to the sellers, and buyers of these devices to ensure that the proper security procedures are applied so that personal data is thoroughly and permanently destroyed. It's not good enough to delete the personal data to only a 'basic standard' or worse still, not at all as there is an obligation to comply with data protection laws."
Following the investigation both firms said they would investigate new procedures to completely erase second-hand phones to protect the previous owner's personal data.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.