Salary details, financial data, bank account details, sensitive business plans, notes from board meetings and personal medical details are being discovered by buyers of second hand smartphones.
BlackBerry owners were the worst offenders for discarding their handsets with sensitive company and personal information.
The survey of over 160 used gadgets found that in a number of cases BlackBerries were left unprotected, despite having security features like encryption built in.
Buyer Got More Than Bargained For
In one example, a Blackberry was examined that had been used by the sales director for Europe, the Middle East and Africa (EMEA) of a major Japanese corporation.
It was possible to recover the call history, the address book, the diary and the messages from the device.
The information that was contained in these provided the business plan of the organisation for the next period, the identification of the main customers and the state of the relationships with them, the relationship of the individual with their support staff and so on.
Forty-three per cent of the smartphones examined contained information from which individuals, their organisation or specific personal data could be identified, creating a significant threat to both the individual and the organisation.
The high-end handset are increasingly being adopted and used by organisations to support mobile workforces – yet only 35 per cent of companies have a mobile device security strategy in place.
Even on less sophisticated devices, 23 per cent of the mobile phones examined still contained sufficient individual information to allow the researchers to identify the phone’s previous owner and employer.
Businesses Unaware of Data Security
The research highlights a lack of awareness amongst businesses about the amount of data that can be retrieved from mobile devices.
The situation is made more complex as most of the devices are provided by a supplier as part of a mobile communications service.
When they reach the end of their effective life, in most cases somewhere between one and two years, they have little or no residual value and they are not, in most cases, given any consideration with regard to the data that they may still contain.
For a significant proportion of the devices that were examined, the information had not been effectively removed and as a result, both organisations and individuals were exposed to a range of potential crimes.
These organisations had also failed to meet their statutory, regulatory and legal obligations.