Questions arising when a child finds dirty pictures on Dad’s “new” refurbished smartphone

Dad wasn’t pleased, after he purchased two refurbished cell phones he believed to be new, and his son immediately found photos and videos of naked folks doing nasty things on one of the devices.

Dad’s lawsuit naming Sprint “and affiliates” claims the stars of the show were store employees who sold him the phones. Sprint has attempted to distance itself from the alleged bad behavior at the retail outlet, according to a report from Courthouse News Service.

We can all agree that salespersons shouldn’t produce porn on devices they will later sell to customers.  But there might be blame to go around, since the phones may have been refurbished by the manufacturer, or by an independent operation specializing in refurbishing.

Question #1:  Why was there no disclosure that the devices were refurbished?

Suppose the store personnel had not documented their private parts on the phone before it was sold. A used computing device is likely nonetheless to retain traces of data from the previous user.

There are many well-documented cases where used IT communication devices were not fully wiped before they were resold. The prospective buyer should know the status of the device, and understand the potential for unwelcome content.

Question #2  The lawsuit claims a similar (pornographic) event happened in another Sprint store, which leads Habeas Hard Drive to wonder about the refurbishing process itself.  Is it uniform and specific?  Is there an audit trail? Are audits of the refurbishing activity ever performed?

Question #3 Does the retailer have a procedure for handling the merchandise?

 There should be a security procedure followed by all employees for handling products and data that go in and out of the store.

For example, the employee badges might have an RFID device that allows them access to the locked case where the phones are displayed, creating a record of who opened the case, and when.  (If this is not practical, Habeas Hard Drive would need to know more about the business to recommend a truly workable procedure.)

Here’s the point. Forget the dirty photos, which made the employees immediately identifiable.  What if the employees had uploaded malware onto the phone that would steal the new owner’s banking information?

Businesses continue to ignore the liability created when employees touch technology.  They continue to view digital security as merely an expense, rather than a strategic element of the business.  This is negligence, and it will continue to cause embarrassment and cost money.

by Ira Victor @ira_victor , and Samantha Stone

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s