An investigation by Channel 4 News has revealed that two of the UK's most popular pawn shops are selling second-hand phones without deleting the previous owner's data.
CEX and Cash Converters have not been wiping the data from second-hand phones to a sufficient level, meaning that specialist software can still pull personal data from phones.
SensePost, a provider of information security services, worked with Channel 4 News by using software to access data from second-hand phone. It took less than an hour to retrieve personal data about the previous owner.
The data included texts, bank details, photos and internet searches. SensePost were also able to access Facebook accounts.
Chief executive of Cash Converters, David Patrick, told Channel 4 News that standard procedures for deleting data on phones was in place.
"All phones are wiped to a standard level and full factory restores are carried out. It is our understanding that specialist software may still be able to recover certain information stored on the phone, but we do everything in our power to ensure all personal data is removed from the device."
However, the investigation has shown that restoring phones to their factory settings are not enough to wipe the phone's memory completely.
Sven Boddington, vice president of global marketing and client solutions at Teleplan believes that these business need to do more to ensure that personal data is completely wiped, rather than to just a "standard level".
"To say its worrying to find two of the largest pawn shop chains are selling mobile phones with data still on them is an understatement. As consumers, we are becoming increasingly reliant on our mobile devices, from basic communications, social media, to mobile banking and payment transactions, and therefore the data they carry is more and more sensitive.
"Businesses that process mobile devices such as smartphones and tablets for use as second hand products have a responsibility to the sellers, and buyers of these devices to ensure that the proper security procedures are applied so that personal data is thoroughly and permanently destroyed. It's not good enough to delete the personal data to only a "basic standard" or worse still, not at all as there is an obligation to comply with data protection laws."
Since the investigation, both Cash Converters and CEX are investigating new procedures to fully erase second-hand phones to protect the previous owner's personal data.
M86 Security is a global provider of web and e-mail security products. We are the only security company able to provide integrated, reliable and...
Established in 1957, BCS, The Chartered Institute for IT, promotes wider social and economic progress through the advancement of information...