Gone or just forgotten? Leftover data on second-hand devices puts businesses at risk

• One in ten (10%) UK workers either don’t know if their devices are connected securely at home, or admit they are not connected securely
• Sensitive business data was found on 10% of both the desktop and storage media devices that Kaspersky analysed
• Just 11% of the devices Kaspersky analysed were entirely clean of existing data

One fifth of the UK public doesn’t know how to permanently erase data from a device, Kaspersky research has found. The cybersecurity expert also undertook a data retrieval experiment on second-hand devices and discovered that 90% contained traces of private and business data, including company emails and much more – demonstrating a risk to businesses when employees fail to wipe their devices before sale.

Kaspersky set out to uncover the dangers of second-hand device ownership by conducting consumer research around knowledge levels of wiping these devices. The company also conducted an experiment to find what data was still available on the 185 second-hand storage media devices it purchased for analysis. Company data, various login details and a host of correlating commercial data was found on the second-hand desktop computers, laptops, smartphones and storage media devices Kaspersky bought, presenting a significant risk to businesses.

Sensitive business data was found on 10% of both the desktop and storage media devices that were analysed. Almost one-fifth (16%) of the devices contained data that could be discovered and extracted immediately, while a staggering 74% held data that could still be recovered through file carving. Additionally, the cybersecurity expert found only 11% of the devices it analysed were entirely clean, showing that more needs to be done not only to increase data awareness, but ensure data is completely removed from a device before it is sold second-hand.

Through its survey, Kaspersky found that one in ten (10%) UK workers either don’t know if their devices are connected securely at home, or admitted they are not connected securely. Though this research was European-based (across 2,000 UK, 1,000 German and 500 Austrian respondents), these results reflect a global cybersecurity challenge, given that devices are sold second-hand across the world.

In light of these findings, Kaspersky is calling for businesses to raise awareness among their employees about the importance of data handling, by providing employees with the necessary information and training on how to correctly handle work-provided devices.

David Emm, Principal Security Researcher at Kaspersky, said: “It is clear there is currently not enough education around the risks of leaving data on second-hand devices, and when people are using personal devices to carry out work-related functions, this presents a real to danger to businesses. It is imperative companies empower staff to do this effectively, and ensure sensitive data is being handled and removed completely before a pre-owned device is sold.”

Tips to ensure devices are clean include:

Mobile

• Back up all data, including contacts.
• Remove the SIM card and any external storage such as a microSD card.
• Log out of services like email and social media, then clear the data from these apps if you can.
• Factory reset the device.

Laptop computer

• Use a secure erase feature, as a simple delete is not enough.

Deleting data using File Shredder

When "normally" deleting via the Del key followed by emptying the Recycle Bin, the files are not deleted properly, but only the reference to their location on the disk is removed. To shred files, there are dedicated programs. Some security solutions such as Kaspersky Total Security have such file shredders directly integrated.

Deleting Cipher data with on-board tools

Files or directories can be deleted quite reliably with Windows' own on-board tool "Cipher". The tool is used to encrypt files, but can also delete them from the hard disk or render them unusable. Using the Windows tool is particularly useful if no additional programs are to be downloaded to delete data.

Meanwhile, purchasers should always activate security software for testing, and perform a scan immediately after purchase and before using the device for the first time. These steps should form an extra layer of caution on top of an embedded solution that provides protection.

More information is available in Kaspersky’s Second-Hand Device Dangers report.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Methodology

Online quantitative interviews were conducted by independent market research agency, Arlington Research, in both Germany and the UK. 2,000 interviews were conducted in Germany and 2,000 were conducted in the UK with a nationally representative sample of adults aged 18+. Nationally representative quotas were set on gender, age and region at a country wide level. Results used for this press release are the UK results only.