Secure or security risk?
Deloitte research highlights the dangers of data theft from mobile devices.
Data including PPS numbers, payment log in details, contact lists and personal emails retrievable on lost/stolen and second hand smartphones.
New research, carried out by Deloitte’s forensics team, shows that personal information including, the identity of the owner, PPS numbers, PayPal login details and personal and work emails, can be retrieved from lost or stolen devices. The research was carried out on a range of mobile devices of various makes including smartphones and tablet devices.
Commenting on the new research findings, Colm McDonnell, Partner, Enterprise Risk Services, Deloitte said: “With over 12,000 phones being stolen each year, combined with the fact that many mobile phones are upgraded every 18-24 months, there are a substantial number of second hand phones in circulation. The purpose of this research was to determine what data was retrievable and the results clearly show the very real need for both organisations and individuals alike to protect their data and maximise privacy.”
Scenario 1: In the case of stolen phones (50% encrypted, 90% passcode locked):
- In 90% of cases it was possible to identify the owners’ email addresses
- In 75% of cases it was possible to identify the owner
- In 75% of cases the owners’ contacts were recovered
- In 40% of cases a variety of passwords were recovered
- In 25% of cases PPS numbers could be identified as they were stored in contacts or SMS messages
Scenario 2: In the case factory wiped phones (40% encrypted, 0% passcode locked):
- In 70% of cases the owner was identifiable
- In 85% of cases it was possible to access text and chat logs
- In 60% of cases it was possible to retrieve contacts
- In 60% of cases it was possible to identify the owners’ email addresses
- In 30% of cases a variety of passwords were recovered
- In 15% of cases PPS numbers were recovered
While a stolen mobile phone is always a significant headache due to lost contacts and the cost of replacement, Deloitte’s research highlighted the more serious repercussions with regard to data theft, as increasing numbers of people use their smartphones for mobile payments and for work purposes.
The research examined a number of key scenarios. With regard to stolen phones, Deloitte’s forensics team successfully accessed owners’ email addresses in 90% of the cases, identified the owner in 75% of the cases, recovered contacts in 75% of cases, and browsing history in 75% of cases. The team also examined smartphones that had been “factory wiped”, a process often completed before a phone is sold second hand and something that is viewed by many as a sensible and necessary action before surrendering an older device. In these situations, the team managed to recover text/chat logs content in 85% of cases, contacts in 60% of cases and identified the owners’ email address in 60% of cases.
In addition to the risks posed by the theft of personal data, Deloitte also emphasised the need for businesses to understand their legal obligations with regard to data held on smartphones and other BYOD used in the workplace. In the 21st century, blocking mobile access completely, while secure, is not conducive to the mobile office and a balance needs to be found between accessibility and security requirements.
Commenting on the research findings, Jacky Fox, IT Forensic Lead, Deloitte and author of the report, said: “There is no doubt that smartphone technology has been hugely beneficial, both for individuals in their personal lives and also in the mobile workplace, but we have to balance the opportunities with the reputational and legal risks of a data breach. An individual piece of data may not pose a particular risk, but the cumulative effect of all the data provides a far more detailed picture, and significant risk.”
Deloitte suggests a number of ways that smartphone users can protect their personal and corporate data in the event of loss/theft or the move to a new device. Recommendations include ensuring that at least a simple passcode lock is enabled on all devices, encrypting your device, evaluating apps carefully before downloading them, providing additional barriers for corporate data and disposing of old devices carefully. The team also recommend enabling the remote wipe facility if it exists on your phone, and carefully recording the IMEI number of the device so that the value of the phone’s hardware is greatly reduced if stolen.
Top tips for protecting your data and maximising privacy:
- Put a passcode on your phone
- Enable encryption if your phone has that functionality
- Protect your corporate data by using complex passwords or device encryption
- Wipe old phones
- Enable the remote wipe facility if possible
- Record the IMEI number
- Protect your phone back ups
- Vet your apps
- Safely dispose of your old phones
The Deloitte Security and Forensic team operates an incident response hotline for companies that require timely assistance in the event of a cyber security incident. A typical incident might be an ongoing data breach, a website defacement or a denial of service attack. The team can be contacted on 01 4173000.
About the research
For the purposes of this review the term mobile devices incorporates smartphones and tablets. In order to get a real picture of the potential risks faced by mobile device users in Ireland, a set of experiments were devised to establish what could potentially be found on devices typically in use today. A range of mobile devices were selected including Apple iPhones, Blackberries, Android devices, Windows phones and a number of tablets.
Two scenarios were tested: a simulation of lost or stolen devices and a set of second hand phones that had been wiped. Lost/stolen devices were simulated by borrowing phones from consenting participants and trying to retrieve data with no knowledge of the PIN codes or passwords. A sample of second hand phones were purchased that had been “wiped” with the phones own in built reset or factory wipe facility. Using the sample phones the team attempted to retrieve both personal and corporate data.
This research was conducted by a group of digital forensic investigators using a range of specialist techniques and tools. All but one of the devices in the research was protected by a passcode, meaning that the data collected would not have been accessible by using the handset itself. However, even if data is not directly accessible, it may still be present.