Is your mobile data secure?
Research performed by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia has revealed that mobile phones and PDA bought second-hand still contain a large amount of sensitive company and personal information. The survey looked at 160 different devices and found a range of information including salary details, financial company data, bank account numbers as well as details of board meetings and personal medical files.
The worst offending devices were Blackberrys which, although having security features such as encryption, were often left unprotected. 43% of these were found to contain information from which the individual, their organisation or specific personal data could be identified. 23% of mobile phones still contained information to identify the phone's previous owner and employer.
In one example, a Blackberry was examined and it was found that the device had previously belonged to a sales directory of a major Japanese corporation. It was possible to recover:
- Call history and address book
- The business plan of the organisation for the next period
- The identification of the main customers and the state of the relationships with them
- The relationship of the individual with their support staff
- Details of the personal life of the individual including details of their children and their occupations, movements, marital status, addresses, appointments and addresses for his dental and medical care providers
- Bank account numbers and bank sorting code
- Car make and registration index
"Given the level of exposure that the subject of security and identity theft has recently received, and the availability of suitable tools to ensure the safe disposal of information, it is difficult to understand why organisations are not taking the necessary precautions when disposing of hand-held devices. These everyday items now contain sophisticated digital memory capable of storing huge amounts of sensitive data. Organisations must ensure that adequate procedures are in place to destroy any data and to check that these procedures are effective."Dr Andy Jones, (Head of Information Security Research) BT
As a basic step, all users should ensure that data is wiped from mobile devices before disposal. This is generally easy to do with an option to reset it to factory defaults. If the device has ever held sensitive company or personal data the safest option is to destroy it (and dispose of the electronic waste according to the WEEE directive). This also applies to old SIM cards which can store data as well as possibly being linked back to you and who you have called.