New research from BT, the University of Glamorgan in Wales and Edith Cowan University in Australia has revealed that a significant number of hand-held communication devices which are bought second-hand still contain sensitive company and personal information.
The survey of over 160 used gadgets found a range of information including salary details, financial company data, bank account details, sensitive business plans, details of board meetings and personal medical details.
The devices containing the greatest volume of information were discarded Blackberry devices which in a number of cases were left unprotected, despite having security features like encryption built in.
Forty-three per cent of those examined contained information from which individuals, their organisation or specific personal data could be identified creating a significant threat to both the individual and the organisation. It is thought that this is the result of the increasing adoption and use of this type of device by organisations to support increasingly mobile workforces.
While being far less sophisticated, 23 per cent of the mobile phones examined still contained sufficient individual information to allow the researchers to identify the phone's previous owner and employer.
In one example, a Blackberry was examined that had been used by the sales director for Europe, the Middle East and Africa (EMEA) of a major Japanese corporation. It was possible to recover the call history, the address book, the diary and the messages from the device and the information that was contained in these provided:
Dr Andy Jones, head of information security research at BT, who led the survey, said: "Given the level of exposure that the subject of security and identity theft has recently received, and the availability of suitable tools to ensure the safe disposal of information, it is difficult to understand why organisations are not taking the necessary precautions when disposing of hand-held devices. These everyday items now contain sophisticated digital memory capable of storing huge amounts of sensitive data. Organisations must ensure that adequate procedures are in place to destroy any data and to check that these procedures are effective."
