An investigation by Channel 4 News has shown that second-hand smartphones sold in the UK by Cash Converters and CEX may contain recoverable data despite having had a ‘factory reset’.
Information security specialists SensePost used software tools that were “freely available” to find personal information about the phones’ previous users. This included browsing history, contacts, text messages, photographs and personal documents. In addition, stored cookies could have been used to log into email and social network sites.
The report points out that an option to ‘restore factory settings’ will delete the directory that contains personal information but doesn’t overwrite it, which means the data can be recovered using a number of software packages.
CEX told Channel 4 it was “currently rolling out a new procedure that improves on the current erasing technique used in the second hand phone market”, while Cash Converters insisted “we do everything in our power to ensure all personal data is removed from the device”.
SensePost recommends encrypting a mobile device twice before selling it, “once to destroy your data, the second time to destroy the key used for the first round”.
[Channel 4 News article; SensePost blog]