Sensitive data stored on Android devices such as the Tesco Hudl can still be accessed even if a user has carried out a factory reset, an investigation by the BBC has found.
Three separate tests on various Android tablets concluded that data is not necessarily removed even after users have chosen the factory reset option, with some tests resulting in just the list of locations being deleted and nothing else. A secure wipe removes the index as well as onboard memory, preventing it from being recovered by anyone else.
based devices were purchased from selling site eBay as part of the investigation. Security expert Ken Munro, who worked with the BBC to test the results for themselves, found the Tesco Hudl tablet to be particularly vulnerable to attacks.
He said: "There's a flaw in the firmware, which allows you to read from it as well as write."
The flaw leaves potentially sensitive information on devices, which can then be passed on to others when the device is lost, stolen or sold.
During the experiments, Munro could read and analyse data as well as extracting PIN codes, Wi-Fi keys, cookies and other browsing data. This meant that he could sign in to websites, accessing private information relating to the tablet's original owner.
Sven Boddington, vice president of global marketing and client solutions at Teleplan, added: "To say its worrying to find tablet devices are being sold with data still on them is an understatement.
"As consumers, we are becoming increasingly reliant on our mobile devices, from basic communications, social media, to mobile banking and payment transactions, and therefore the data they carry is more and more sensitive."
It is expected that new Android releases will feature automatically enabled encryption, rather than as an option as it is now.
A spokesperson for Tesco responded to the worrisome findings, saying: "Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand."
The spokesperson also assured customers that, if they return the tablets to Tesco, all data will be securely wiped from them.
"Businesses that process mobile devices such as smartphone and tablets for use as second hand products have a responsibility to the sellers, and buyers of these devices to ensure that the proper security procedures are applied so that personal data is thoroughly and permanently destroyed," Boddington added.
Tesco came under scrutiny earlier this year when the personal details including email addresses and passwords of 2,239 Tesco Clubcard users were leaked and published on Pastebin.
