ECU research highlights PDA information security breaches
Thursday, 28 August 2008
ECU research has revealed that at least one in five second-hand mobile devices still contain sensitive information, leaving individuals and their organisations at risk of identity fraud, theft, blackmail and forgery. The research was conducted in collaboration with the University of Glamorgan (Wales) and UK communications provider British Telecom and involved analysis of over 160 used hand-held mobile phones and personal digital assistants (PDAs). Information including salary details, financial company data, bank account details, sensitive business plans, and personal medical details was found on the devices, and forty-three per cent of PDA devices examined contained information from which individuals or their organisation could be identified.
The use of PDAs by organisations has increased significantly in recent years, prompting warnings for these organisations to ensure that sensitive information is erased before disposing of hand-held devices. In cases where information is not effectively removed from hand-held devices, individuals and organisations are exposed to a range of potential crimes including identity fraud and theft. These organisations had also failed to meet their statutory, regulatory and legal obligations.
In one example, a PDA was examined that had previously been used by the sales director for Europe, the Middle East and Africa of a major Japanese corporation. It was possible to recover the call history, the address book, the diary and the messages from the device. Information recovered included: Business plans, customer details and the state of customer relationships Details of the individual's personal life, including information about their children and their occupations, movements, marital status and addresses Bank account numbers Car make and registration details Appointments and addresses for dental and medical care providers.
Adjunct Professor at ECU, Dr Andy Jones led the survey with ECU Head of the School of Computer and Information Science, Professor Craig Valli. Dr Jones says that there are tools available to ensure the safe disposal of information and it's difficult to understand why organisations aren't taking the necessary precautions. "These everyday items now contain sophisticated digital memory capable of storing huge amounts of sensitive data," he says. "Organisations must ensure that adequate procedures are in place to destroy any data and to check that these procedures are effective." Dr Jones is also a member of SEC.AU, the Security Research Group based at ECU's School of Computer and Information Science. Current projects include mobile device forensics and investigation of remnant data on second-hand hard disks.
- ends -