Analyzed cards, mainly from smartphones and tablets, contained private personal information, business documentation, audio, video, and photos.

Kelly Sheridan, Former Senior Editor, Dark Reading

June 28, 2018

4 Min Read

Wipe your device, then check it twice: A new study has found most secondhand memory cards contain personal information belonging to previous owners who either failed to properly remove their data or didn't attempt to delete it at all.

"We make such a big deal out of Facebook giving away our details, but many of us just leave this stuff out there on our local memory," says Comparitech privacy advocate Paul Bischoff.

In a study conducted by the University of Hertfordshire and commissioned by Comparitech, researchers bought and analyzed 100 used SD and micro SD memory cards from eBay, secondhand shops, auctions, and other sources over a four-month period. They created a forensic image of each card and used freely available software to recover data.

Most of the cards came from smartphones and tablets, Bischoff says, but some also came from satellite navigation systems, cameras, and drones. Sixty-five of the 100 cards analyzed still contained troves of personal materials: contact lists, browsing histories, intimate photos, passport copies, resumes, identification numbers, and business documentation, among them.

"It's really easy when people get a new device to just throw out the old one and get rid of it completely," Bishop notes. "If this information gets out there into the wrong hands, it could do a lot of damage … identity theft, extortion, blackmail."

Only twenty-five cards had been properly wiped so that no information could be recovered. Thirty-six were not wiped at all; neither their owners nor sellers took any steps to try and erase the data, either. Twenty-nine appeared to have been formatted, meaning their owners attempted to try and erase their information, but data still could be revered "with minimal effort," researchers explain. Four were broken, four were blank, and two had had their data deleted, but it was easily recoverable.

If a card is tossed without the proper precautions, Bischoff says, it's fairly easy for any third party to access the data inside. "It really doesn't take much know-how," he explains, noting that the researchers used free forensics software they found online to recover information.

Their findings indicate how device owners, businesses, and resellers are responsible for wiping information before it falls into someone else's hands. Users need to be more careful about deleting their data, of course, but resellers also need to properly wipe devices sold to them. Card manufacturers also play a role in making the process of erasing and disposing of cards both easier and more apparent for users, Bischoff adds.

"If it's corporate-owned, it really depends on what the business structure is for dealing with this sort of thing," he continues. In the case of BYOB devices, IT teams might not be able to remotely control or access an employee's smartphone or tablet. Bischoff says the cards containing business data in this study were likely personal and that the owners downloaded sensitive files.

Phones containing sensitive data should have all files backed up in a secure cloud or have user access controls to block users from saving important devices local on the device.

Researchers anticipate problems related to improperly erased data will continue as local storage gets less expensive and people store more types of information on memory cards. However, Bischoff argues, the expansion of cloud storage will cause people to shift.

"Obviously storage demands are increasing, but the rise of the cloud will minimize the effects to some degree," he says. "I think people will store in the cloud and skip local storage altogether."

How to Properly Delete Data
If you plan on reselling your smartphone, laptop, camera, or other device equipped with an SD or micro SD card, you need to properly delete the data. Many people try to wipe their SD cards but fail to get rid of all the information. Simply deleting a file from the device doesn't actually delete the ones and zeroes that make up the file; those stay on the device until overwritten.

You need to perform the "full format," not "quick format," Bischoff says. The process varies depending on your operating system, but both Windows and Mac devices have built-in formatting to erase all information from an external storage device.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights