Personal information including identity, PPS numbers, PayPal login details, and personal and work emails, can be retrieved from lost or stolen smartphones and tablets, even after a factory reset, new research suggests.
The research by Deloitte into stolen phones, of which 50pc were encrypted and 90pc were passcode locked, found that 90pc of the time it was possible to identify the owners’ email address and 75pc of the time it was possible to identify the owner.
In 40pc of cases, a variety of passwords were recovered and in 25pc of cases PPS numbers could be identified as they were stored in contacts or SMS messages.
In the case of factory-wiped phones (40pc encrypted) in 70pc of the cases the owner was identifiable and in 85pc of cases it was possible to access text and chat logs.
In 60pc of cases it was possible to retrieve contacts and the owner’s email addresses.
In 30pc of cases a variety of passwords were recovered and in 15pc of cases PPS numbers were recovered.
The risk factor posed by second-hand devices
“With over 12,000 phones being stolen each year, combined with the fact that many mobile phones are upgraded every 18-24 months, there are a substantial number of second-hand phones in circulation,” Colm McDonnell, partner in charge of enterprise risk at Deloitte said.
“The purpose of this research was to determine what data was retrievable and the results clearly show the very real need for both organisations and individuals alike to protect their data and maximise privacy.”
In addition to the risks posed by the theft of personal data, Deloitte also emphasised the need for businesses to understand their legal obligations with regard to data held on smartphones and other BYOD used in the workplace.
In the 21st century, blocking mobile access completely, while secure, is not conducive to the mobile office and a balance needs to be found between accessibility and security requirements.
“There is no doubt that smartphone technology has been hugely beneficial, both for individuals in their personal lives and also in the mobile workplace, but we have to balance the opportunities with the reputational and legal risks of a data breach,” Jacky Fox, IT forensic lead at Deloitte said.
“An individual piece of data may not pose a particular risk, but the cumulative effect of all the data provides a far more detailed picture, and significant risk.”
“Deloitte’s report confirms that it is not only dumb users with smartphones who may suffer the loss of sensitive data if their mobile devices are lost or stolen – even those who think they’ve taken prudent security precautions may still be vulnerable,” said Dermot Williams, managing director of Irish IT security company Threatscape.
“A determined attacker equipped with forensics tools may be able to bypass security features such as lock codes to directly access the memory contents of a device. And a factory reset should not be confused with a more comprehensive secure wipe since just as PC users have known for years that accidentally deleted files can be undeleted with the appropriate tools, even after a factory reset much of original content on a mobile device may still be present if only the file index has been wiped.
“While it is likely that the majority of stolen phones are targeted by petty thieves for their resale value alone, users should not be complacent about the possibility of falling prey to a more targeted theft by someone seeking valuable data, and even a randomly stolen device may have its contents trawled by a technician in the sort of unscrupulous backstreet repair outlet willing and able to unlock stolen devices.
“Having a lock code on your phone is a good start when it comes to securing the data it contains; also having the ability to securely wipe it is better – but encrypting all of the data with a strong password is best of all and most modern handsets now provide this capability,” Williams added.