New research reveals two-thirds of second-hand memory cards contain personal data from previous owners

June 29, 2018, University of Hertfordshire
New research reveals two-thirds of second-hand memory cards contain personal data from previous owners
Credit: University of Hertfordshire

University of Hertfordshire research finds people aren't sufficiently erasing data before selling old memory cards from mobile phones, tablets and other connected devices.

New research finds that two-thirds of second-hand memory cards found in mobile phones or tablets and sold to the public still contain from their previous owners. The study, commissioned by—the security and privacy reviews and comparison website, analysed data held and therefore sold on used memory cards. This analysis uncovered a host of personal information and sensitive materials, including passport copies, contact lists and identification numbers being passed from one person to the next.

The team at the University of Hertfordshire purchased and analysed 100 used SD and micro SD memory cards from eBay, conventional auctions, second-hand shops, and other sources over a four-month period. They created a forensic image, a bit-by-bit copy, of each card, then used freely available software to recover data. The majority of cards were used in smartphones and tablets, while other devices also included cameras, SatNav systems, and even drones.

Data recovered from the used memory cards worryingly included and sensitive materials such as intimate photos and selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers and other important personal documents.

Professor Andrew Jones, Professor of Cyber Security at the University of Hertfordshire said: 'This research uncovers the prevalence of second-hand memory cards providing a rich source of sensitive data, that could easily be misused if a buyer so wished. Despite the ongoing media focus on cybercrime and the security of personal data, it is clear from our research that the majority are still not taking adequate steps to remove all data from before sales.

'Particularly important is satellite navigation systems (SatNav) data, which can be used to determine the home location of the user, and also the routes that they regularly use and locations that they have identified as being of interest, which may include their place of work and the homes of family and friends. Again, this information in the wrong hands could easily put previous owners at risk.

'At the University of Hertfordshire's Cyber Security Centre, we are focused on investigating and developing tools and techniques capable of detecting and responding to a variety of cyber based attacks, including the collection of digital forensic evidence.'

Paul Bischoff, Privacy Advocate for said: "As exemplified in this report, often the problem is not that people don't wipe their SD cards; it's that they don't do it properly. Simply deleting a file from a device only removes the reference that points to where a computer could find that file in the card memory. It doesn't actually delete the ones and zeros that make up the file. That data remains on the card until it is overwritten by something else. For this reason, it's not enough to just highlight all the files in a memory card and hit the delete key. Retired cards need to be fully erased and reformatted.

'From posting intimate pictures on the web without their knowledge that could be subject to facial recognition technology, illegitimate use of children's photos that may be stored on these card; or using or selling ID documents like a passport to commit fraud – the outcomes are truly scary.'

The full breakdown from the 100 cards studied is as follows:

  • 36 were not wiped at all, neither the original owner nor the seller took any steps to remove the data.
  • 29 appeared to have been formatted, but data could still be recovered "with minimal effort."
  • 2 cards had their data deleted, but it was easily recoverable
  • 25 appeared to have been properly wiped using a data erasing tool that overwrites the storage area, so nothing could be recovered.
  • 4 could not be accessed (read: were broken).
  • 4 had no present, but the reason could not be determined

There's more information on the topic on's website.

Explore further: Keeping personal details personal in the Digital Age

Related Stories

Keeping personal details personal in the Digital Age

October 5, 2015

Users of mobile phones, tablet computers and other devices with a memory card—that being practically everyone these days—risk having their identify stolen if they don't securely erase their personal data.

Digital Foci Ships Image Moments 6 Digiframe

October 6, 2008

The Digital Foci IMT-063 Image Moments 6 digiframe features a 5.7 inch 640 x 480 display with LED backlighting, two tone chrome finish, 450Mb of internal storage, support for memory cards, and USB 2.0 connectivity. The frame ...

Toshiba to launch world's fastest microSD memory cards

April 18, 2014

Toshiba Corporation today announced that it will launch the world's fastest microSD memory cards, compliant with UHS-II, the ultra high speed serial bus interface defined in SD Memory Card Standard Ver. 4.20. Sample shipments ...

Toshiba to launch the world-fastest class SDHC memory cards

March 14, 2012

Toshiba Corporation today announced that it will launch a new line of high performance SDXC and SDHC memory cards under a new brand name, EXCERIA, that will bring to market SD memory cards offering the highest performance ...

Recommended for you

Coffee-based colloids for direct solar absorption

March 22, 2019

Solar energy is one of the most promising resources to help reduce fossil fuel consumption and mitigate greenhouse gas emissions to power a sustainable future. Devices presently in use to convert solar energy into thermal ...

EPA adviser is promoting harmful ideas, scientists say

March 22, 2019

The Trump administration's reliance on industry-funded environmental specialists is again coming under fire, this time by researchers who say that Louis Anthony "Tony" Cox Jr., who leads a key Environmental Protection Agency ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.