Nearly One in Four Second Smartphones Contain Sensitive Data Says Survey

New research from BT, the University of Glamorgan in Wales and Edith Cowan University in Australia has revealed that a significant number of hand-held communication devices which are bought second-hand still contain sensitive company and personal information.

The survey of over 160 used gadgets found a range of information including salary details, financial company data, bank account details, sensitive business plans, details of board meetings and personal medical details.

The devices containing the greatest volume of information were discarded Blackberry devices which in a number of cases were left unprotected, despite having security features like encryption built in.

Forty-three per cent of those examined contained information from which individuals, their organisation or specific personal data could be identified creating a significant threat to both the individual and the organisation.

It is thought that this is the result of the increasing adoption and use of this type of device by organisations to support increasingly mobile workforces.

Whilst being far less sophisticated, 23 per cent of the mobile phones examined still contained sufficient individual information to allow the researchers to identify the phone's previous owner and employer.

In one example, a Blackberry was examined that had been used by the sales director for Europe, the Middle East and Africa (EMEA) of a major Japanese corporation.

It was possible to recover the call history, the address book, the diary and the messages from the device and the information that was contained in these provided the business plan of the organisation for the next period, the identification of the main customers and the state of the relationships with them, the relationship of the individual with their support staff etc.

The research highlights a lack of awareness amongst businesses about the amount of data that can be retrieved from mobile devices. The situation is made more complex as most of the devices are provided by a supplier as part of a mobile communications service.

When they reach the end of their effective life, in most cases somewhere between one and two years, they have little or no residual value and they are not, in most cases, given any consideration with regard to the data that they may still contain.

For a significant proportion of the devices that were examined, the information had not been effectively removed and as a result, both organisations and individuals were exposed to a range of potential crimes. These organisations had also failed to meet their statutory, regulatory and legal obligations.