Put simply, before you sell or give away mobile phones, tablets, desktop computers, laptops or USB drives or other items with data storage such as cameras with memory cards, the contents should be deleted. The risks do depend on your use of the device prior to its disposal and the new recipient of the device. Of course, it is necessary to make sure you have a safe copy of your data or fully operational replacement devices prior to disposing of your old devices. Consider what is on your device such as:
- Browser history
- Saved passwords
- Personal financial records
- Access to emails and social media accounts
- Customer data
- Retained links to licensed software
- Active logons such as iCloud
- Links to external storage services such as Dropbox, Google Drive and One Drive
This is not an exhaustive list, but what is important is for you to think about what is on your device. Although gaining access to data on devices depends on the level of security implemented, it should be assumed that if someone wants access, they will eventually get it, and this will often be determined by the value of the data and the effort required to gain access. In the wrong hands the data could be detrimental to personal safety and security. Where devices belong to businesses, the data could compromise the personal safety and security of employees or customers. If the device is being sold, the buyer will of course expect to be able to use it so it is unlikely that it would be sold with any security enabled.
Several years ago, I bought a mobile phone from eBay and found that it still had 100s of personal contacts, numerous text messages that had not been deleted, including some in the outbox waiting to be sent. My initial thought was that I had purchased a stolen phone, but upon further investigation and telephone conversations with contacts in the phone, I was able to confirm the sale was genuine, just that the phone was not cleaned prior to its sale. In this case, the previous owner had traded in his phone for a newer model, and my purchase was from the trader. Its condition was marked as ‘refurbished’, which clearly didn’t include a factory reset.
The way data is stored on devices, the data may not be thoroughly deleted and additional steps are needed to destroy the digital data. Storage devices work by having an index of files, and the index points to the physical location of where the data is stored. For speed of operations, deleting files often deletes the entry from the index leaving the data intact but no longer visible. The files essentially remain intact until the space is allocated to new files. If files are not securely deleted, the data can be recovered.
- Consider removing the hard disk from desktops and laptops and destroying them rather than attempting to securely delete the data. Industrial shredding services are available that will turn a hard disk into 1000s of small pieces of metal. Failing that a hammer can be used to render a hard disk useless. The approach taken should be relative to the value of the data you are trying to protect.
- Selling or giving away desktops and laptops without a hard disk is a viable option. New owners can easily purchase replacement drives and have a fully operational system.
- Restore devices to factory default. For example, Apple iOS has the option in settings to reset device and remove all data. Windows 10 also has an option to reset the operating system and destroy all existing data. Reinstalling the operating system from installation media is an available option. This allows devices to be sold or given away in a state where the new owner can log on as a 1st time user.
- Utilities such as ‘CCleaner’ have options to securely delete the empty space on hard disks and securely delete entries in the index to prevent data from ever being recovered.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.