At least one in five 2nd-hand mobile phones contain sensitive information
Published on: 1st Oct 2008
Note -- this news article is more than a year old.
New research from BT, the University of Glamorgan in Wales and Edith Cowan University in Australia has revealed that a significant number of hand held communication devices which are bought second hand still contain sensitive company and personal information.
The survey of over 160 used gadgets found a range of information including salary details, financial company data, bank account details, sensitive business plans, details of board meetings and personal medical details.
The devices containing the greatest volume of information were discarded Blackberry devices which in a number of cases were left unprotected, despite having security features like encryption built in. Forty-three per cent of those examined contained information from which individuals, their organisation or specific personal data could be identified creating a significant threat to both the individual and the organisation. It is thought that this is the result of the increasing adoption and use of this type of device by organisations to support increasingly mobile workforces.
Whilst being far less sophisticated, 23 percent of the mobile phones examined still contained sufficient individual information to allow the researchers to identify the phone's previous owner and employer.
In one example, a Blackberry was examined that had been used by the sales director for Europe, the Middle East and Africa (EMEA) of a major Japanese corporation. It was possible to recover the call history, the address book, the diary and the email messages from the device.
Dr Andy Jones, head of information security research at BT, who led the survey, said: "Given the level of exposure that the subject of security and identity theft has recently received, and the availability of suitable tools to ensure the safe disposal of information, it is difficult to understand why organisations are not taking the necessary precautions when disposing of hand-held devices. These everyday items now contain sophisticated digital memory capable of storing huge amounts of sensitive data. Organisations must ensure that adequate procedures are in place to destroy any data and to check that these procedures are effective."
Dr. Iain Sutherland, who leads the research team at the University of Glamorgan, added: "Many large organisations currently dispose of obsolete hand-held devices by donating them to charities. It was discovered during the course of the research that a number of these charities then pass on a large percentage of these devices to places like China and Nigeria, both of which are regarded as posing a real threat to the security of information."
The research highlights a lack of awareness amongst businesses about the amount of data that can be retrieved from mobile devices. The situation is made more complex as most of the devices are provided by a supplier as part of a mobile communications service. When they reach the end of their effective life, in most cases somewhere between one and two years, they have little or no residual value and they are not, in most cases, given any consideration with regard to the data that they may still contain.
For a significant proportion of the devices that were examined, the information had not been effectively removed and as a result, both organisations and individuals were exposed to a range of potential crimes. These organisations had also failed to meet their statutory, regulatory and legal obligations.
The research was undertaken at the BT Centre for Information and Security Systems Research, the University of Glamorgan and in Australia at Edith Cowan University in Perth. The results were based on the examination of 161 hand-held devices that were purchased from on-line auction sites, commercial organisations involved in the supply of second hand hand-held devices and auctions or were donated to the research by SIMS Lifecycle Services.