As loyal Apple Inc. fans upgrade to the newest iPhone 6, beware of potential security faux pas, as data may linger on an old phone unless it has been affirmatively removed.
Corporate data is removed from an old device during the upgrade process, said Scott Christensen, director of technology and information security at Edwards Wildman Palmer. Although the process is not the same as a full wipe, which is done when a mobile device has been lost, the effect is similar.
On the Android side, if someone with a Galaxy SIII wants to upgrade to a Galaxy S5, both devices are brought in to his IT team, Christensen said, and all corporate data on the old device are removed. The new device will then begin synchronizing data (e.g., email contacts, calendars).
“Even if the data on the old device was not actively removed, the policies in place at most firms will effectively cause that data to ‘fall off’ and be eliminated within a month or less,” Christensen said.
Technical differences, such as the type of devices, how they are connected (e.g., ActiveSync) and if a mobile device management system is in place, will play a role in how a device upgrade and wipes will be handled, said Christensen.
Err on the side of caution when updating to a new phone said Brian Brown, vice president of technology and security at Austin-based e-discovery company RenewData Corp. “There are several potential concerns with updating to the iPhone when sensitive information is on your existing one,” said Brown.
Brown shared four tips to verify that data is cleared out of your old phone:
Never hand over your device (new or old) to someone not on your IT team.
Restore your new phone using a backup saved on your laptop computer.
Safeguard your old device until it is forensically wiped.
Guard your backups. Make sure you maintain physical control over any disk/media where a backup resides.
With an iPhone, the safest way to transfer data is via an iTunes backup, Brown said. Handing a device over to a store clerk to transfer the data “introduces vulnerability and a potential for a malicious employee to siphon data from your device,” he said.
Another potential vulnerability lurks in the time lapse between decommissioning an old phone and when it’s forensically wiped, Brown said. The data on a mobile device is generally unencrypted, he said, and there is a risk of a “malicious actor mounting the device and copying all the data off the phone.”