BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Identity theft fears as a faulty laptop is resold on eBay

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 30 Sep 2013 22:36:42 -0600
http://www.theguardian.com/money/2013/sep/28/identity-theft-fears-faulty-laptop-resold

It is a bizarre story that raises concerns about the security of personal
information held on home computers. A London film maker has found that a
faulty Acer laptop he returned to Sainsbury's was sold via eBay to an
American buyer – who contacted him to let him know he had access to his
personal profile on the machine.

Glenn Swift bought the laptop via Sainsbury's website, but within two weeks
the hard drive died and he was left with a plain blue screen.

He returned the computer to the supermarket's north London Muswell Hill
store, which quickly apologised and replaced it. However, both the webcam
and the track pad did not work properly, so Swift took it back once again.

"The Sainsbury's team said the items would be returned to the manufacturer
and I thought no more about it," Swift says. "But then, six days later, out
the blue, I received an email from a gentleman who informed me he had just
purchased a second-hand laptop on eBay.

"It still had my profile on it and he asked for my password to allow him to
unlock it. Alarm bells started ringing."

Without giving any passwords, he responded to the email, asking where he'd
bought it.

To his amazement, the man revealed he was in the US and that the laptop had
been bought through an American-based eBay seller. It was less than a week
after Swift had returned the item to Sainsbury's.

"It was then I realised just how much information a Windows 8 profile can
access. When you first use it you have to set up a profile," says Swift.

"If you are an existing user your profile is automatically downloaded to
the new computer – apps, settings and passwords, Facebook, Twitter, Yahoo!,
BlackBerry, Gmail, etc. All your information, accessible in one single
place."

Alarmed that his ID details were exposed and he was at risk of fraud, Swift
called Sainsbury's. The store reiterated that its policy was to return all
laptops to the manufacturer for diagnostics. If they were to be resold they
would first be refurbished and wiped clear, he was promised.

Swift contacted the police, who warned him that he was now vulnerable
toidentity fraud, but said that at this stage it was still a civil matter.

As a result Swift spent the day changing all his passwords in a bid to halt
any potential problems.

He says that Sainsbury's has since struggled to explain what happened, nor
can it tell him what has been done with the second laptop that he returned.

"Staff at the shop have been rather useless, apart from apologising a lot.
The guy in America has stopped responding to me. You may want to warn
others in the same boat to think carefully about how they return items," he
told Guardian Money.

Independent expert on IT security, Graham Cluley, says Swift is right to be
concerned. It is vital, he says, to wipe all data (see his advice below)
and the same is true of USB drives and mobile phones. "One of the issues is
that with Windows 8 a single password can be used to access multiple
settings," he adds.

"Microsoft strongly encourages you to use an online Microsoft account to
sign-in. That means if someone else manages to get your password, they
cannot gain access to all kinds of settings and documents that you have
chosen to sync between devices."

He said such incidents aren't always the fault of the company selling the
laptop. It can be that they've trusted a third-party organisation to handle
the secure disposal of assets.

When Money contacted Sainsbury's, it suggested that a third-party may be at
fault.

A spokesman says: "We would like to apologise to Mr Swift for his
experience. As soon as we were aware of his complaint we launched a
thorough investigation and a third-party contractor working at one of our
sites has now been suspended.

"We have passed the details of our investigation to police and are helping
them with their inquiries."

He says its customer services team will be talking to Swift about
compensating him.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: