Staples resold laptops with customer data, audit finds

[InfoSec News <alerts () infosecnews org>]

http://www.cbc.ca/news/technology/story/2011/06/21/technology-staples-business-depot-privacy-commissioner.html

CBC News
Jun 21, 2011

Staples Business Depot has breached Canadian privacy law by not fully 
wiping customer data off laptops and storage devices returned by 
customers before reselling them, Canada's privacy commissioner has 
found.

Banking information, tax records, social insurance numbers, health card 
and passport numbers, as well as academic transcripts were among the 
information found on 54 of 149 tested data storage devices destined to 
be resold by Staples during an audit by the office of Privacy 
Commissioner Jennifer Stoddart.

"The position of our office is that if Staples is unable to remove all 
customer data from a particular manufacturer’s device, it is 
unacceptable to resell that device," said a summary of the findings.

The audit was part of Stoddart's 2010 report tabled in Parliament on 
Tuesday in compliance with Canada's Personal Information Protection and 
Electronic Documents Act (PIPEDA), meant to protect the private 
information that consumers give to companies in the course of doing 
business.

The privacy commissioner's office tested computers, laptops, USB hard 
drives and memory cards that had already undergone a "wipe and restore" 
process intended to delete data. The devices most likely to contain 
customer data were laptops, where it was found in 17 of 20 cases.

[...]

___________________________________________________________
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/