Personal details retrievable from ‘wiped’ phones

A myriad of key personal information, including financial log-in details, can still be retrieved from lost, stolen, or sold-on mobile phones even if the device has been locked or has been “factory-wiped”.

Personal details retrievable from ‘wiped’ phones
Tue, 29 Apr, 2014 - 01:00
Stephen Rogers

Digital forensic investigators working on behalf of Deloitte were able to use a variety of specialist techniques and tools to extract the identity of owners, PPS numbers, PayPal login details, and personal and work emails from a range of mobile devices of various makes, including smartphones and tablets.

Deloitte tested two scenarios: A simulation of lost or stolen devices which were borrowed from willing participants; and a set of second-hand phones which were bought and which had been factory-wiped — a process often completed before a phone is sold, something which would often be relied upon to stop information being gained.

In the case of the “stolen” phones, 50% were encrypted and 90% were passcode- locked.

In 90%, it was possible to identify the owners’ email addresses; in 75% of cases the owner was identifiable; in 75% the owners’ contacts were recovered; in 40% a variety of passwords were recovered; and in 25%, PPS numbers could be identified as they were stored in contacts or SMS messages.

Of the factory-wiped phones, 40% were encrypted. The owners could be identified in 70% of them; in 85% of cases it was possible to access text and chat logs; in 60% it was possible to retrieve contacts; in 60% it was possible to identify the owners’ email addresses; in 30% of cases a variety of passwords were recovered; and in 15% of cases PPS numbers were recovered.

Commenting on the research findings, Jacky Fox, IT forensic lead with Deloitte and author of the report, said: “There is no doubt that smartphone technology has been hugely beneficial, both for individuals in their personal lives and also in the mobile workplace, but we have to balance the opportunities with the reputational and legal risks of a data breach.

“An individual piece of data may not pose a particular risk, but the cumulative effect of all the data provides a far more detailed picture, and significant risk.”

Security measures

Deloitte has suggested a number of ways in which smartphone users can protect their personal and corporate data in the event of a loss, theft, or the move to a new device. They include:

- Put passcode on phone.

- Enable encryption if your phone has that functionality.

- Protect your corporate data by using complex passwords or device encryption.

- Wipe old phones.

- Enable the remote wipe facility if possible.

- Record the IMEI number.

- Protect your phone back- ups.

- Vet your apps.

- Safely dispose of old phones.

CONNECT WITH US TODAY

Whatsapp logo

WHATSAPP

Newsletter logo

NEWSLETTERS

Notification logo

NOTIFICATIONS

Be the first to know the latest news and updates

More in this section

Primary school stock Teachers could take industrial action as INTO accuses Government of blocking unpaid allowances
Drug syringe and cooked heroin Drugs a 'social justice' issue, not just a health one, families tell officials
More than 2,500 drivers caught using agricultural green diesel in domestic vehicles More than 2,500 drivers caught using agricultural green diesel in domestic vehicles
Courtspersonal detailsPhonesSecurityPerson: Jacky FoxOrganisation: DeloitteOrganisation: Paypal
<p>In her opening address to 900 delegates at the first day of the Irish National Teachers’ Orgnisation (INTO) annual congress in Killarney, president Anne Horan said schools are increasingly dealing with the consequences of online harm. Picture: Moya Nolan</p>

‘Real and escalating’ online danger to children as voluntary regulation falls short, teachers warn

READ NOW

Lunchtime News

Newsletter

Keep up with stories of the day with our lunchtime news wrap and important breaking news alerts.

Latest

Most Read

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

© Examiner Echo Group Limited