Staples Resells Storage Devices Without Wiping Customers’ Personal Information

imageCanada’s privacy watchdog, Jennifer Stoddart, is no slouch when it comes to aggressively enforcing her mandate – providing the strongest possible privacy protection for Canadians, in an era of constantly evolving risks to privacy.

Stoddart has successfully taken on Google, Facebook,  and a multitude of transgressors intent on violating Canada’s federal privacy law – the Personal Information and Electronic Documents Act.

As part of her annual report, released yesterday, Stoddard outlined what she described as a “long-standing problem” – Staples Business Depot’s failure to fully wipe customers’ personal data – including government-issued identification numbers, financial statements, employment histories, medical information, e-mail messages, personal correspondence and photographs – from computers, laptops, USB Hard Drives, and memory cards, prior to resale. A stunning violation of the Personal Information and Electronic Documents Act. 

But why be polite? Rather than a just a violation of the privacy act – what we’re really talking about is; a negligently stupid lack of consideration for the privacy of the people who pay the bills – the customer.

Stoddart’s common sense position: If you (Staples) can’t remove all customer data from a device, then don’t sell it.

In a rather pathetic response, Staples Business Depot tried to weasel out of the blowback from what is clearly an embarrassing and perhaps legally challenging (although, this remains to be seen) situation, by describing the data wipe process as ineffective. Theoretically technically true – but, disingenuous nevertheless.

Short of melting down a Hard Drive’s platter/s, there is always a risk (theoretically), that deleted/overwritten data can be recovered. But, an average user is not up against James Bond, the CIA,  the FBI, or a computer forensic specialist running an application such as OSForensics – which I have reviewed here.

Some practical advice:

If you are ever in a position where you find it necessary to return a storage device for a refund or replacement, do not trust that the merchant will apply proper security precautions. Instead, run a reliable utility designed to erase and overwrite data on the storage device.

To learn how to do this using the freeware application File Shredder 2 – read the companion piece to this article – Delete Data Permanently With Free Free File Shredder 2 – which I posted immediately following this article.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

7 Comments

Filed under Computer Forensic Tools, Freeware, Point of View, Privacy, Secure File Deletion, Software, System Security, Windows Tips and Tools

7 responses to “Staples Resells Storage Devices Without Wiping Customers’ Personal Information

  1. Pingback: Delete Data Permanently With Free Free File Shredder 2 | Bill Mullins' Weblog – Tech Thoughts

  2. Regnor

    What can one do if a storage device gets broken and can no longer be accessed by any software?
    If it was a cheap USB stick or HDD I would just throw it away, but what should I do with a SSD?

    • Hey Regnor,

      Since secure erasure measures are unlikely to be effective on an SSD in any event, although this is still open to some debate – use a sledgehammer, or incinerate.

      Bill

  3. Dave B

    When returning a working device with personal data on it the responsibility of removing that data belongs to the consumer, sure it should be wiped by the retailer, but if the person returning the device cares that little about the security of their data I have no sympathy for them. Typical of todays mentality, no personal responsibility.

    To use part of the article, “a negligently stupid lack of consideration for the protection of ones own personal data”.

    • Hey Dave,

      Privacy legislation both here in Canada, and in the European Union, recognizes that average computer users are computer illiterate. Should it be this way – of course not. You and I both agree that lack of personal responsibility is a major issue.

      The point in question with Staples is/was a “long-standing problem” – they had been advised many times to change their procedures to comply with the Act. They chose to ignore these reminders, and continued to put customers’ privacy at risk. There’s a certain sense of arrogance in that.

      Best,

      Bill

  4. Hi Bill,
    This is amazing but I’m not surprised. The cavalier attitude about privacy among some people really sickens me. The other issue is, large chain stores who hire slackers who really don’t care because they’re paid a little more than minimum wage. It was also found that Department of Defense hard drives were sold un- wiped on eBay. To me security and privacy are intertwined and despite recent very public hacks like Sony (http://hassonybeenhackedthisweek.com/) the corporate big wigs still don’t get it.
    Thanks
    Mark