Before you sell, give away or recycle mobile phones, tablets, desktop computers, laptops or USB drives or other items with data storage such as cameras with memory cards, delete the data. It is, of course, necessary to make sure you have a safe copy of your data or fully operational replacement devices before disposing of your old devices. Consider what is on your device, such as:
- Browser history
- Saved passwords
- Personal financial records
- Access to emails and social media accounts
- Customer data
- Retained links to licensed software
- Active logins such as iCloud
- Links to external storage services such as Dropbox, Google Drive and One Drive
This list is not exhaustive, but what is essential is for you to think about what is on your device. Although gaining access to data on devices depends on the level of security implemented, assume that if someone wants to access it, they will eventually get access; determined by the value of the data and the effort required to gain access. In the wrong hands, the data could be detrimental to personal safety and security. Where devices belong to businesses, the data could compromise the personal safety and security of employees or customers. If you are selling the device, the buyer will expect to be able to use it, so you are unlikely to have any enabled security.
Several years ago, I bought a mobile phone from eBay and found that it still had 100s of personal contacts, numerous text messages that had not been deleted, including some in the outbox waiting to send. My initial thought was that I had purchased a stolen phone, however, upon further investigation and telephone conversations with contacts in the phone, I was able to confirm the sale was genuine, just the seller had not wiped the phone. In this case, the previous owner traded in his phone for a newer model, and I bought the phone from the trader. The eBay listing showed the phone as ‘refurbished’, which didn’t include a factory reset.
Additional steps are often required to delete the data thoroughly. Storage devices work by having an index of files, and the index points to the physical location of where the data is stored. For speed of operations, deleting files often deletes the entry from the index leaving the data intact but no longer visible. If you don’t securely delete the files, someone could recover them.
- Consider removing the hard disk from desktops and laptops and destroying them rather than attempting to delete the data securely. Industrial shredding services are available that will turn a hard disk into 1000s of small pieces of metal. You could use a hammer to render a hard disk useless. The approach taken should be relative to the value of the data you are trying to destroy.
- Selling or giving away desktops and laptops without a hard disk is a viable option. New owners can easily purchase replacement drives and have a fully operational system.
- Restore devices to factory default. For example, Apple iOS has the option in settings to reset the device and remove all data. Windows 10 also has a built-in feature to reset the operating system and destroy all existing data. Reinstalling the operating system from installation media is an available option. These options allow you to sell or give away devices in a state where the new owner can log in as a 1st time user.
- Utilities such as ‘CCleaner’ have options to securely delete unused space on hard disks and securely delete entries in the index to prevent data from ever being recovered.
Robert is an information security consultant with over 20 years of experience across various organisations, both in the United Kingdom and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Contact Robert directly through Linked In.