Gone or just forgotten? Leftover data on second-hand devices puts businesses at risk 

One fifth of the UK public doesn’t know how to permanently erase data from a device, Kaspersky research has found. The cybersecurity expert also undertook a data retrieval experiment on second-hand devices and discovered that 90% contained traces of private and business data, including company emails and much more – demonstrating a risk to businesses when employees fail to wipe their devices before sale.

Kaspersky set out to uncover the dangers of second-hand device ownership by conducting consumer research around knowledge levels of wiping these devices. The company also conducted an experiment to find what data was still available on the 185 second-hand storage media devices it purchased for analysis. Company data, various login details and a host of correlating commercial data was found on the second-hand desktop computers, laptops, smartphones and storage media devices Kaspersky bought, presenting a significant risk to businesses.

Sensitive business data was found on 10% of both the desktop and storage media devices that were analysed. Almost one-fifth (16%) of the devices contained data that could be discovered and extracted immediately, while a staggering 74% held data that could still be recovered through file carving. Additionally, the cybersecurity expert found only 11% of the devices it analysed were entirely clean, showing that more needs to be done not only to increase data awareness, but ensure data is completely removed from a device before it is sold second-hand.

Through its survey, Kaspersky found that one in ten (10%) UK workers either don’t know if their devices are connected securely at home, or admitted they are not connected securely. Though this research was European-based (across 2,000 UK, 1,000 German and 500 Austrian respondents), these results reflect a global cybersecurity challenge, given that devices are sold second-hand across the world.

In light of these findings, Kaspersky is calling for businesses to raise awareness among their employees about the importance of data handling, by providing employees with the necessary information and training on how to correctly handle work-provided devices.

David Emm, Principal Security Researcher at Kaspersky, said: “It is clear there is currently not enough education around the risks of leaving data on second-hand devices, and when people are using personal devices to carry out work-related functions, this presents a real to danger to businesses. It is imperative companies empower staff to do this effectively, and ensure sensitive data is being handled and removed completely before a pre-owned device is sold.”

Tips to ensure devices are clean include:


  • Back up all data, including contacts.
  • Remove the SIM card and any external storage such as a microSD card.
  • Log out of services like email and social media, then clear the data from these apps if you can.
  • Factory reset the device.

Laptop computer

  • Use a secure erase feature, as a simple delete is not enough.

Deleting data using File Shredder

When “normally” deleting via the Del key followed by emptying the Recycle Bin, the files are not deleted properly, but only the reference to their location on the disk is removed. To shred files, there are dedicated programs. Some security solutions such as Kaspersky Total Security have such file shredders directly integrated.

Deleting Cipher data with on-board tools

Files or directories can be deleted quite reliably with Windows’ own on-board tool “Cipher”. The tool is used to encrypt files, but can also delete them from the hard disk or render them unusable. Using the Windows tool is particularly useful if no additional programs are to be downloaded to delete data.

Meanwhile, purchasers should always activate security software for testing, and perform a scan immediately after purchase and before using the device for the first time. These steps should form an extra layer of caution on top of an embedded solution that provides protection.

Read the latest edition of PCR’s monthly magazine below:

Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.

Check Also

Why strong passwords aren’t enough to stop identity-based attacks

David Higgins, Senior Director at CyberArk’s Field Technology Office explains why strong passwords aren’t enough …