Sensitive data and your mobile phone policy

gallery

Recent research highlighted a worrying fact: more than half of mobile phone users leave sensitive data on their devices after disposing of them. While its easy to assume this is just a case of consumers ignoring the importance of removing all data from their mobiles when getting rid of them, the are increasingly leaving sensitive business information in situ too.

The study by CPP Life Assistance Products showed 54 per cent of second-hand mobile phones contain personal data, ranging from contacts, to emails and even PINs and passwords.

The research also revealed some 247 instances of personal data had been left on a range of mobile phones and SIM cards. This is despite more than 80 per cent of those surveyed claiming they had wiped the information from their phones before getting rid of them.

One of the biggest problems in business, especially when using CRM applications on devices connected to a server (such as a Blackberry running on BES), is that sensitive customer data falling into the wrong hands can have serious legal and financial implications. Then there’s the negative publicity to contend with, too.

“With the rise of smartphones, the most risky data is email as this is one of the most ubiquitous applications on such a device,” said Rene Millman, senior research analyst at Gartner.

“A lot of people store phone numbers, usernames, and passwords on email as it is an ad hoc database of personal information for a lot of people. And searchable too. If it makes it easy for you to find data then inevitably it will be easy for someone else to access this as well.”

Any scrap of data left on a phone could, in theory and most likely in practice too, allow a criminal to piece together your identity and thus make it easier to use this information to sell onto other criminals or use the data to obtain things such as credit cards and loans, according to Millman.

“A series of text messages or contacts or emails all have revealing data about yourself and people who know you,” he said. “That’s why it’s important to wipe this data as soon as you get rid of a phone. Trouble is, the phone manufacturers always hide this option to wipe data away in obscure places.”

To wipe all the data from your phone, you’ll also have to know the administrator password in most cases, making the task a lot more difficult to do without the support of a 24-hour IT department.

But how can you protect yourself and your employees from getting into trouble?

“The safest way to remove all of your data from a mobile phone or SIM card is to totally destroy the SIM and double check to ensure that all content has been removed from your phone before disposal,” said Jason Hart, senior vice president of CRYPTOCard, the company commissioned to carry out CPP’s research.

“With new technology does come new risks and our experiment found that newer smartphones have more capabilities to store information and that information is much easier to recover than on traditional mobiles due to the increase of applications.”

To ensure you are removing as much of the data from your device as possible, you should first restore all factory settings. As factory resets can sometimes leave data on a device, you’ll also need to log out and delete all social networking applications, sites and company networks.

Next, remove and physically destroy your SIM card – there’s still a lot of data stored on SIM cards and the only way to wipe it is by destroying them.

Email to a friend

Print this page