Is Your Old Smartphone A Stoolpigeon?

In past articles, we’ve written extensively about security. We even had a post that warned of old office copiers that were returned to leasing companies where they were refurbished and leased to other companies without wiping out the old data on the hard drive.

While perusing the security forums last week, I came across a blog article from AVAST about thousands of old smartphones for sale every single day that could potentially expose personal and confidential user information because the data on those old phones were not wiped, just merely deleted.

As a test, AVAST, an anti-virus company, purchased a few smartphones from eBay and found:

  • 1000’s of photos of family and children – not something you’d want circulating on the internet
  • Google searches – revealing personal interests that can be used in targeted fraud schemes
  • Emails – disclosing personal communications and information
  • Contact information – that can be used to further perpetrate frauds and scams
  • Owner identities – used by criminals in identity theft schemes
  • Financial documents – that can be used to drain bank accounts

According to AVAST, over 80,000 used smartphones are for sale every day. If you allow personal mobile devices to access your business network, there’s the additional potential of exposing confidential company data if your employees aren’t aware of the risks.

As a business owner or executive, you should be asking yourself at least 3 questions:

  1. Has anyone from my company sold or discarded a personal phone that contains corporate data?
  2. If so, what corporate information has been unknowingly exposed?
  3. What is the potential damage if a phone with company information falls into criminal hands?

It is vital that you have policies and procedures in place covering the discarding of personal mobile devices that are allowed access to your network to ensure that your company and client information is protected. Not doing so, can leave your company legally exposed if the data gets into the wrong hands.

Remember, smartphones are mini computers and need to be treated as such. Merely deleting files is not enough.

When you delete data from a hard drive, it is not really gone. The operating system changes the file’s address so it’s not visible. Deleted files aren’t truly gone until the location they’re occupying on the drive is overwritten by new data.

There are open source, forensic programs freely available that can recover deleted files from drives that have not yet been overwritten. It’s the same technology used by law enforcement to recover information from a suspect’s computer.

There are apps on the market that will erase the data on your smartphone. As always, check them out thoroughly before installing and using any of them. A  Lifehacker article explains how to securely erase a smartphone before selling it using programs already on your iPhone or Android phone.

We strongly suggest keeping the SIM and MicroSD cards and not including them as part of the sale. It’s also a good idea to encrypt the data first, then securely erase the phone’s contents using the appropriate device’s features. Be aware that older phones may not have secure features like encryption, etc. You need to do your homework before giving your phone away!

While researching the subject, I found a Wired article suggesting that it is still possible to recover data even after taking suggested precautions. The article suggests that the only way to be sure your data is safe is to smash it to pieces.

Maybe, it isn’t such a good idea to sell your old smartphone after all? The real cost to you may be much higher than the amount of money you were paid for it.

If you have any questions or concerns, give us a call at (845) 362-9675.

XSolutions is a Managed Services Provider (MSP) and provides 24/7/365 remote monitoring, scheduled workstation and server maintenance, Help Desk Services, Cloud & Hosted Services, Backup/Disaster Recovery, and Software Development. Call us at (845) 362-9675 and see how we can help your company.