Uncovering private data in secondhand sales

Our experts define the deluge of data on used devices.

Data remains on 90% of secondhand devices

Kaspersky’s Global Research and Analysis Team (GReAT) has examined security in secondhand devices. The devices, which DACH research heads Marco Preuss and Christian Funk scrutinized for two months in late 2020, included used laptop computers and a variety of storage media such as hard drives and memory cards.

Their goal was not to determine differences according to device type but rather to examine the data on them — to learn how electronic data relates to person-to-person or other secondary market sales. As a seller, what traces might you be leaving behind? As a buyer, how can you make your device behave as if it were brand-new — and until you do, is using your new-to-you device even safe?

Findings

An overwhelming majority of the devices the researchers examined contained at least some traces of data — mostly personal but some corporate — and more than 16% of the devices gave the researchers access outright. Another 74% gave up the goods when the researchers applied file-carving methods. A bare 11% had been wiped properly.

The data Preuss and Funk found included items that could potentially be harmless or terribly revealing and even dangerous: calendar entries, meeting notes, company resource access data, internal documents, personal photos, medical information, tax documents, and more. Furthermore, as Funk pointed out, personal data doesn’t tend to lose value over time; you can’t simply wait out the risk and feel safer after some time passes (not that feeling safe actually lessens risk in any way).

In addition to directly usable information such as contact lists, tax documents, and medical records (or access to them through saved passwords), electronic devices contain information that can cause secondhand damage; consider how cybercriminals exploit the information they glean from social network profiles and posts. The contents of a digital device are vastly more informative.

Did we mention the malware?

It’s safe to say no one else shares your precise tolerance for digital device security. Some may lock things up even tighter than you do, but if you’re buying secondhand, it’s not unlikely you’ll receive not just someone else’s data but also bonus malware. Of the devices Preuss and Funk examined, 17% triggered our virus scanner alarms.

Prequel: A broader study

The research we’re reporting on here actually began with a study that Kaspersky commissioned from Arlington Research. It queried several thousand adult consumers in the United Kingdom, Germany, and Austria. The initial study functioned as a confirmation of sorts, finding that secondhand digital sales are indeed robust and indeed a reliable source of data leaks; fewer than half of the many hundreds of buyers did not find any photos, “explicit material,” contact details, sensitive documents such as passports, or login details on the devices they’d purchased.

Seller, beware

Although approximately 10% of the survey’s respondents had been given devices on which they found the seller’s info, not many of them would ignore, immediately delete, or report found data to the original owner or any authorities. Beyond just taking a peek (which 74% of respondents said they’d find a way to do), more than 1 in 10 admitted they would sell the data they found if they thought they could profit from it.

Advice and tips

The United Kingdom’s National Cyber Security Centre provides some practical advice for buyers and sellers of secondhand electronic devices, from backing up personal data to making sure the device is as clean as a new one would be.

For sellers

As a seller, your top priority is getting your information off the device you’re selling so that you can keep it both secure and private. Yes, it’s also important to make sure the device is safe, which we hope you’ve done all along, but the point here is to keep your stuff to yourself.

  • Back up your data: Whether it’s on a phone, a computer, a memory card, or another form of storage, securely back it up before deleting it from the device you’re selling;
  • Remove SIM and storage cards from phones; erase the eSIM if your device uses one;
  • Enable two-factor authentication for any accounts that allow it, and then sign out of every service (banking, e-mail, social media, etc.) on the device you’re selling;
  • Depending on the device in question, perform a factory reset or format the media;
  • Keep in mind that in many circumstances data may be recoverable even after a factory reset or media format. To be sure nothing is left on the device, you need to take additional steps, which vary depending on the device type, model, and configuration; search for information on securely deleting all data from yours.

For buyers

Our advice for buyers of secondhand devices is very much like our advice for general digital ownership, but a bit more stringent because we have to assume a secondhand device is dirty. Better safe than sorry.

  • Depending on the device in question, perform a factory reset or format the storage media;
  • Install and activate a reliable security solution immediately — if possible, before even purchasing the device — to offset the risk of encountering malware already present on a device, and perform a scan before using the device for the first time.
Tips