6 Feb 2014

Revealed: the personal data for sale on your old phone

Exclusive: Two of the UK’s largest pawn brokers are selling second-hand phones which still contain texts, photos, bank details and more, from their previous owners, Channel 4 News can reveal.

A Channel 4 News Data Baby investigation has revealed that two of the UK’s largest pawn shop chains are selling second-hand phones which still contain swathes of deeply personal information from their previous owners.

Photos, text messages, passwords, credit card information and internet searches were left on the phones and easily accessed, leaving their former owners vulnerable to identity theft, fraud and blackmail.

Customers selling their phones to Cash Converters and CEX – two of the UK’s largest pawn shops – are assured that their devices will be wiped before being sold on.

However, with freely available and easy-to-use software, tech experts SensePost took less than an hour to pull off intimate and personal information that the phone’s previous owner had stored.

“The phones look like they’re completely blank, but the data is still there in the memory,” said Glenn Wilkinson of SensePost. “You can use software to find it, and that software is freely available for download. I can teach you how to access the data in 10 minutes.”

When I went to pick up the money they told me it would all be deleted, and you believe them because they’re the experts – Denise Holder

Deeply personal text messages revealing financial trouble, health problems and relationship issues were all accessible. One customer of CEX had photographed employment documents which gave away her company email address and password.

The phones also gave up their former owner’s entire internet browsing history – one device revealed scores of pornographic websites visited by a teenager.

And in another case, SensePost could have accessed the previous phone user’s Facebook account and potentially completed status updates and changes to their account.

Many people believe that the handset’s “restore factory settings” option will wipe the phone. But in fact, it only deletes the directory which tells the phone where photos, texts, and other info is stored. Without the directory, the phone assumes the files are gone. But they remain in its memory and can be accessed by the specialist software.

One phone bought from Cash Converters still contained dozens of pictures of the former owner’s children. Data attached to the photos revealed what appeared to be the family’s home address.

“I’ve got addresses, dates of birth, email addresses, mobile numbers, financial information and details of personal lives. If you’re looking to carry out identity theft or fraud, this sort of information is invaluable,” said Mr Wilkinson.

How can you protect your data? Read more here and follow #datababy for more privacy tips.

Old second hand phones (G)

‘It’s like Big Brother’

Text messages provided a shockingly large trove of data: for one former owner, Denise Holder, Channel 4 News was able to gain almost every message she’d sent using the phone, as well as records of her internet browsing and family photos. Texts sent to her from companies revealed her account numbers and the last four digits of her credit card.

Ms Holder said: “It’s really worrying, to think that all of that is still on there. It’s like Big Brother, someone has access to your whole life. You delete the information and you think it’s gone.”

When she sold her phone to CEX in Cheltenham she was assured by staff that her data would be wiped.

“When I went to pick up the money they told me it would all be deleted, and you believe them because they’re the experts. I feel really angry that my information was left there,” she said.

Cash Converters told Channel 4 News it had launched an investigation into the two stores which sold the phones to our reporters. Chief Executive David Patrick said that a “full factory restore” was the standard procedure for wiping a phone before it was sold.

“All phones are wiped to a standard level and full factory restores are carried out,” said Mr Patrick. “It is our understanding that specialist software may still be able to recover certain information stored on the phone, but we do everything in our power to ensure all personal data is removed from the device.”

A spokesman for CEX said: “As technology evolves so do our systems and we are currently rolling out a new procedure that improves on the current erasing technique used in the second hand phone market.”

Are you a digital native or a data daredevil? Take the #datababy poll to find out

‘Wake-up call for consumers’

The Information Commissioner Christopher Graham is now contacting CEX and Cash Converters to demand an explanation of how they go about protecting customers’ data.

“I was very surprised and rather disturbed by what Channel 4 News discovered,” said Mr Graham. “Apparently the retailers in question had represented those phones as being ‘cleaned’ but as we’ve seen they’re anything but cleaned.

“There’s a wake-up call for consumers: how much data remains on your phone when you’ve wiped it? And for the retailers: if you say that this has been factory reset, Channel 4 News’s report shows this is clearly not enough.”

Channel 4 News has committed to wiping the phones it acquired, using software that overwrites previous owners’ data.

‘Basically, you’re giving your life away

As our phones become more sophisticated, we use them to store more and more data: from calendars detailing where we’ll be and when, to banking details. And all of these can be used for fraud purposes or even identity theft, if it gets into the wrong hands, writes Meabh Ritchie.

Even something as simple as having access to a mobile phone user’s contacts lists can be exploited by criminals, who can pretend to be the user of the phone and contact friends asking for money, say the National Mobile Phone Crime Unit (NMPCU).

“Basically, you’re giving your life away,” said DCI Robert Mahoney, head of the NMPCU. “They know who your parents are, your home address, when you’re going to be in, pin numbers for credit cards, passwords for different accounts: for the typical modern person, you’re giving them access to every bit of your life.”

In Britain, one in four of us have owned a second-hand or refurbished phone and it’s an industry that benefits the previous owner and the buyer: chains like Cash Converters and CEX pay good money for an old phone, and the buyer can get a decent quality phone at a knock down price.

But when so much of your personal information remains easily accessible, it raises the question as to whether the value of your personal data is worth more than the device on which it is stored.