By Sunil Chandna, CEO, Stellar Data Recovery
As Diwali approaches, the excitement around festive flash sales is in full swing. Much like the US’s black friday sales, many e-commerce platforms are now prepping for the big season ahead. Smartphones make for a huge part of these sales. Recent news reports have highlighted a 25% surge in iPhone 16 Pro series sales in India during a quick commerce flash sale—a clear indication of India’s growing appetite for high-end smartphones.
Many consumers are eager to upgrade, often trading in their old devices for rebates on new models. But beneath the surface of these record-breaking sales lies a serious issue that few are talking about: data leaks from second-hand phones.
Factory reset this festive season:
While modern Android and iOS operating systems do offer factory reset, the problem arises in keeping a check if a secure erase operation was actually performed on the phone.
During festival season, it’s estimated that 35 million smartphone devices would be sold and, further likely, that significant portion would be trade-in deals. Many old devices could be sold off further without erasing sensitive data. This could be due to oversight, untrained manpower, lack of standard operating procedures and sheer volume of transactions
The invisible threat: Data leaks
Today, smartphones are an extension of our lives, storing everything from bank details to personal conversations, passport numbers, private photos, videos and login credentials. Unfortunately, when many people exchange their old phones, they forget to sanitize the data stored in their mobile phones. This oversight leaves behind a treasure trove of sensitive information, putting both consumers at risk.
I have been sounding the alarm on this issue amongst my professional & personal circle for years. In a research project we conducted back in April 2019, the World’s Largest Residual Data Study on Second Hand Devices was conducted. The study revealed that over 71% of the 311 devices analyzed contained PII [Personally Identifiable Information], personal data and business information. 222 of the devices studied were disposed of in the secondary market without using proper data erasure tools.
Even when the market continues to be increasingly sensitive to privacy post the Cambridge analytica scandal that led to GDPR laws, a decade later we have learned this is not just an American problem. In India, awareness around secure data erasure remains low, and as a result, every year consumers risk their privacy when trading old devices. The recently enacted Personal Data Protection Bill DPDP act 2024 puts the onus on businesses to ensure consumer data is handled properly, but without the right knowledge, many consumers are unknowingly exposing themselves to potential data theft.
How to safeguard your data before upgrading
So, how can you protect your personal data when trading in or selling your old phone? Here are some practical, actionable steps:
Backup your data: Before wiping your phone, backup all your important files and data to a secure location, like cloud storage or an external hard drive. This ensures that you don’t lose valuable information in the process.
Sanitize your data properly by using certified software: Don’t rely on a factory reset alone. Invest in trusted data erasure tools that securely and irreversibly wipe data from Mobile phone devices. There are many ‘Made in India’ products that are test-approved by international bodies such as Common Criteria, ADISA, NIST and guarantee that your data is erased from your storage devices, beyond the scope of recovery.
Manually log out of all accounts: Ensure that you manually sign out of all apps and accounts (e.g., Google, Apple ID) before resetting your phone. This prevents residual data from syncing back to the device during recovery attempts.
Remove SIM and SD cards: Always remove your SIM card and any SD cards from the phone before trading it in. These cards often store personal data, including contacts and text messages.
Obtain a certificate of destruction: Post cross checking on your own if you’ve deleted all the photos, login credentials, key data and try enquiring with the manufacturer on a certificate of destruction. As a user you have the choice to either DIY Erase the phone or ask for EAA erasure as a service from the retailer. Most professional media sanitisation software generate a ‘Certificate of Destruction’ and this is your proof that your private data is securely erased. If you ordered an erasure service from a retailer, “you must ask” for a certificate of secure destruction of your data. When you receive the certificate, do check for your Phone make, model and serial number details in the document.
The role of the industry in data security
While consumers must take responsibility for erasing their data, the onus doesn’t fall solely on them. Manufacturers and retailers should take a more active role in protecting consumer data by offering certified data erasure services as part of the trade-in process. Providing users with education on how to properly clean their devices will benefit everyone in the long run, reducing the risk of data breaches and increasing trust in the resale market.
In the age of flash sales and frequent smartphone upgrades, it’s easy to overlook the hidden risks associated with your old device. The data stored on your phone can be more valuable than you think, and protecting it should be a priority. By taking these simple yet effective steps, you can safely upgrade to a new device without compromising your privacy.
Lastly remember, In a world of advancing technology, let’s not forget the importance of protecting what matters most—your data. And when it comes to your personal data, the safest hands are your own—so make sure you clean up before you sell up.