A few weeks ago, we were contacted by a hotel which had been forced to come to the stark realization that the mishandling of unclaimed electronic devices can be, at best, embarrassing. The hotel had donated its’ smartphones to a local charity. The charity immediately organized a local auction and sold all the devices; no testing or clearing was done.
One smartphone buyer noticed that the device he purchased still contained the original owners’ personal and confidential information. Fortunately, the buyer was an honest man. He contacted the hotel to let them know the device he just purchased still had all their guests’ personal information. He returned the device and the hotel was very grateful.
This could have gone very wrong. Did the device contain bank account or credit card information? Did it have the owners’ address or social security number? Were there any intimate photos or videos on the device? We’ll never know exactly what information it contained, but you can bet there was some information that an unscrupulous person could have used in order to steal an identity or to harm or embarrass the original owner.
Some organizations use online auction services to sell lost and found, as well as property and evidence, devices. Even though these types of services are professional in nature, most do not take the care required to properly erase personal data, before auctioning devices for their clients.
For instance, a popular auction service, used by many law enforcement property and evidence rooms, does not guarantee devices to be properly cleared before an auction. According to listings on their website, PropertyRoom.com sells items on behalf of law enforcement and public agency clients. Many of the “smartphones” they list are being sold in “as-is” condition. Devices are listed as "untested due to the fact it does not power on, does not take charge, sold as is, for parts, may be account or carrier locked".
What does this mean for an organization that sells electronic devices through PropertyRoom.com? Untested devices are essentially uncleared devices. The data from the original owner is still on the device, and in many cases can still be accessed.
We purchased 10 devices from PropertyRoom.com to see if there was, indeed, data left behind. Here are the results:
2 were simple feature phones with no user locks. All data on the devices was available.
2 iPhones were iCloud locked. Data was encrypted and we were unable to recover any data.
1 Android smartphone was un-repairable and we were unable to recover any data.
3 Android smartphones were repaired. These devices had no user lock, and photos, videos, text messages, and contacts were easily recovered.
2 Android smartphones were repaired. They had user locks; however, after a factory reset, photos (including pornography), videos, text messages, and contacts were easily recovered.
All of today's electronic devices contain some sort of personal data that could damage the owner, should it fall into the wrong hands. Anyone who operates a lost and found department MUST take seriously their role in protecting guest identity.
In examining 200 smartphones recovered from lost and founds across the country, we found information that could have been very damaging, had it fallen into the wrong hands. Included were such things as usernames and passwords, confidential corporate data, pictures of credit cards (front and back) alarm codes, pictures of individuals engaging in unlawful activity, and tons of porn.
Ask yourself, “if I lost my device on our property and could not recover it, would I be satisfied with way we dispose of it?” That’s the simplest, and most effective, way to determine whether you are handling guest devices properly.