The danger of throwing broken smartphones in the trash

Many older phones may still have data left over from improper deletion. Photo: SeekingAlpha

“The things you find on discarded digital devices are more horrifying than you can imagine,” said Kurt Gruber, founder and CEO of Australian cybersecurity company WV Technologies.

The conclusions were reached after WV and consulting firm PwC conducted a study on e-waste. Rob Di Pietro, the study’s lead author, bought a smartphone and a tablet for less than $50 at a second-hand store with the aim of seeing what data was inside.

“The results shocked me,” Pietro told NCA NewsWire.

Specifically, the team retrieved 65 pieces of personally identifiable information (PII) from the phone. On the tablet, which was labeled as belonging to a company, the team also retrieved login information that allowed access to a database of another 20 million sensitive PII records.

“The problem is much bigger than we realize in this digital age,” said Pietro. “We were shocked at how many people leave their most sensitive data in plain sight.”

According to News.com.au, thousands of tonnes of e-waste are generated in Australia alone each year, but only 10% of it is recycled. Globally, this waste is also increasing rapidly and will exceed 70 million tonnes per year by 2030.

Not only ordinary users, but also businesses, private organizations and governments do not thoroughly clean up data before discarding technology devices. "We found network keys on some electronic devices belonging to a state at a junk auction," Gruber said after analyzing some discarded hard drives. "Then we found a lot of personal information, including full medical records of government employees, personal data, even sensitive images from surgeries."

WV Technologies also discovered an Excel file containing customer names, addresses, phone numbers and credit card details. The data was obtained after the company purchased a number of discarded hard drives from dozens of stores of a retail chain in Australia.

WV Technologies estimates that one in 250 discarded hard drives are not properly erased. “That’s creating an opportunity for cybercriminals,” Gruber said. “It’s very possible that cyberattacks are going down the old device route, because that’s the point of least resistance. Instead of going through the trouble of breaking into a system to steal identities, they can spend $20 to $30 on a piece of junk electronics.”

In fact, some companies have lost billions of dollars by failing to properly destroy data. Last September, the Securities and Exchange Commission (SEC) fined Morgan Stanley $35 million for “staggering” failures to protect customer data. The bank sold decommissioned servers and hard drives without properly wiping the data inside. In 2020, Morgan Stanley was fined $60 million and hit with a class-action lawsuit for the same amount. Some of the hard drives containing the bank’s data were later auctioned off online.

Many organizations and individuals are willing to spend millions of dollars to build anti-hacking systems, but spend little money on properly destroying or recycling e-waste. This is because the deletion process is equally time-consuming and expensive. Companies often choose the simple solution of shredding or throwing away devices instead of recycling them.

Previously, Russ Ernst, vice president of products and technology at data protection company Blannco, also warned that wiping data on a smartphone may not completely remove everything, including a factory reset. According to him, smartphones contain messages, emails, bank account information and many other sensitive data, such as GPS locations. Restoring factory settings is just one of three steps to comprehensively protect data before reselling the device to someone. Because a "factory reset" simply deletes the path to the folders containing data on the device, not destroying everything.

To completely erase a phone, Ernst recommends users take three steps: erase the data, verify the data has been erased, and receive a report of the successful operation. For hard drives and other storage devices, users can seek professional services.

According to VnExpress