The danger of throwing broken smartphones in the trash

Leaving a broken smartphone or computer in a landfill or selling old items without deleting data can create conditions for crooks to steal information.

“What you find on discarded digital devices is more horrible than you can imagine,” says Kurt Gruber, founder and CEO of Australian-based cybersecurity company WV Technologies.

The above conclusion was made after WV and consulting firm PwC conducted a study on e-waste. Rob Di Pietro, the study’s lead author, bought a smartphone and a tablet for less than $50 at a thrift store to see what data was inside.

“The results shocked me,” Pietro told  NCA NewsWire .

Specifically, the research team retrieved 65 pieces of personally identifiable information (PII) from the phone. On a tablet that was already labeled with a company, the team also obtained login credentials that allowed access to a database of another 20 million sensitive PII records.

“The problem is much bigger than we might realize in today’s digital age,” Pietro said. “We were shocked that so many people left their most sensitive data where it was most visible.”

Many older phones may still save data due to improper deletion. Photo:  SeekingAlpha

According to  News.com.au , in Australia alone, thousands of tons of e-waste are generated each year, but only 10% of that is disposed of. Globally, this type of waste is also increasing rapidly and will exceed 70 million tons per year by 2030.

Not only ordinary users, businesses, private organizations and governments also do not thoroughly process data before discarding technology devices. “We found network keys on several state electronics at a second-hand auction store,” Gruber said after analyzing several discarded hard drives. “We then found a ton of personal information, including complete medical records of government employees, personal data, and even sensitive images from surgeries.”

WV Technologies also discovered Excel files containing customers’ names, addresses, phone numbers and credit card details. The data was obtained after the company purchased several discarded hard drives from dozens of stores of a retail chain in Australia.

According to estimates by WV Technologies, one in every 250 hard drives is discarded, one that has not been properly erased. “That is contributing to the opportunity for cybercriminals,” Gruber said. “It is very likely that the attacks are carried out the old equipment route, because that is the point of least resistance. Instead of going to the trouble of breaking into the system to steal their identity, they can spend 20-30 USD on discarded electronics.

In fact, some companies have lost billions of dollars because of not destroying data properly. Last September, the US Securities and Exchange Commission (SEC) fined Morgan Stanley $35 million for an “incredible” mistake in protecting customer data. In it, the bank sells downed servers and hard drives without properly wiping the data inside. In 2020, Morgan Stanley was also fined $60 million and sued for the same amount of money. Some hard drives containing banking data are then auctioned off online.

According to experts, many organizations and individuals are willing to spend millions of dollars to build anti-hacking systems, but spend little money on proper disposal or recycling of e-waste. This is because the deletion process is equally time-consuming and costly. Companies often choose to simply shred or dispose of devices instead of recycling them.

Earlier, Russ Ernst, VP of product and technology at data protection company Blannco, also warned that wiping data on smartphones may not remove everything completely, including factory reset. (factory reset). According to him, smartphones contain text messages, emails, bank account information and other sensitive data, such as GPS location. Factory reset is just one of three steps to comprehensive data protection before reselling the device to someone. Because ‘factory reset’ simply deletes the path to the folders containing data on the device, not destroys the whole thing.

For a complete wipe on a phone, Ernst recommends that users take three steps: erase data, verify deleted data, and receive a report on successful operation. For hard drives and other storage devices, users can look to professional services.