Samsung's Note7 exchange booths: Could users' old data be exposed?
When it comes to the exploding batteries on Galaxy Note7 models, Samsung has been lauded for its crisis management approach and how it’s accepted responsibility for the problem. Now setting up exchange booths at airports around the world so users can exchange their Galaxy Note7 phones is yet another example of its exceptional crisis management approach.
But while it’s commendable how swiftly Samsung is taking action to replace the faulty handsets, the company has left one crucial component out of this plan. That is, erasing the data from those Galaxy Note7 devices that are turned in at its exchange booths at airports around the world. There’s no mention of whether the data is being securely and permanently erased from the Galaxy Note7 phones that are taken back at the exchange booths -- and if it’s being done so before they’re handed off to Samsung’s chosen recyclers.
Here’s why this is a problem. There’s a high likelihood that the owners of Galaxy Note7 phones will use a factory reset to wipe their data before turning them into the Samsung exchange booths. But what most people don’t know is that a factory reset doesn’t actually get the job done because in most cases, it doesn’t permanently remove all data. Instead, it simply removes the pointers to the data so the data actually remains on the device’s internal storage and external secure digital (SD) cards when applicable. Anyone with a little know-how and some readily available software can recover data after a factory reset has been performed.
This was further proven by research from Cambridge University, which revealed that up to 500 million Android phones failed to completely erase all data after a factory reset, making it possible to recover the previous owners' sensitive data, such as login credentials, passwords, contacts and emails. According to researchers, relying on full-disk encryption to secure sensitive data doesn’t help because the file that stores the decryption key isn't erased in factory reset.
So once the mobile recyclers get a hold of the turned in, faulty Galaxy Note7 phones, I’d be curious to know where all the old phones will be stored? Does Samsung have full visibility into how those exchanged phones are being handled by their recyclers and where they’re being stored. If they’re left in unsecured spaces that can be accessed by anyone, they could easily be stolen. And if that happens, a lot of sensitive personal and corporate data mobile users store on their phones could be leaked and cause serious financial, legal and reputational damage to everyone involved.
As an end-user, I’d certainly want assurances that my data was 100 percent erased -- and could never resurface -- after I handed in my phone at one of the exchange booths. Given just how often data breaches happen and how dangerous it can be if personal and corporate information -- like credit card numbers, financial details, social security/national insurance numbers, company emails, sales projections, to name a few -- ever fell into the wrong hands.
For Samsung, the failure to eliminate data from devices that are being resold, recycled or discarded could open the door to severe financial, legal and reputational damage. Stolen intellectual property, customer and employee data and of course credit card information can mean lost corporate revenue, diminished customer and employee confidence, and hefty compliance fines. Data protection is serious business and costly, too. It could easily undermine the goodwill and reputation-building purpose of setting up these exchange booths at airports altogether. And it could result in even more backlash and damage to the brand’s reputation, which is something Samsung certainly wouldn’t want. If Samsung really wants consumers to trust them again, they need to be able to prove to the one million plus remaining Note7 owners that all their data has been permanently erased from these devices when exchanged.
Photo credit: Dan Kosmayer / Shutterstock
Richard Stiennon is Chief Strategy Officer, Blancco Technology Group. He is responsible for leading the company’s overall corporate strategy, including long-term strategic planning, product positioning, public affairs, analyst relations, joint ventures and industry partnerships.