Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2018C09

Advisable to delete data after trying out smart products – DPP4

The Complaint

The complainant tried out a smart phone at a telecommunications company. During the tryout, she logged into her Cloud storage account on a trial phone for a short period of time. A few months later, the complainant received a call from an unknown person, telling her that he was able to access her personal data in her Cloud storage account via such account of his. The complainant was worried about the security vulnerabilities of the relevant Cloud storage service, and hence made a complaint to the PCPD.

Outcome

Our investigation revealed that although the complainant had logged out of her Cloud storage account after trying out the smart phone, she did not delete the data synchronised to the trial phone (i.e. the data which had been automatically downloaded from the complainant’s Cloud storage to the trial phone after she had logged into her Cloud storage account) before logging out.

At a later time, the unknown person visited the same store and tried out the same trial phone. During the tryout, he had also used the trial phone to log into his Cloud storage account. As a result, the complainant’s data which had been synchronised to the trial phone earlier, was then synchronised to the person’s Cloud storage account.

The PCPD considered that this incident was not caused by any security vulnerabilities in the Cloud storage service, but the complainant’s ignorance of the data synchronisation between her Cloud storage account and the trial phone.

The PCPD had therefore sent a letter to the company, suggesting it to remind its customers (by posting notices or otherwise) not to use their online service accounts when trying out devices, and to ensure that data downloaded to the relevant device is deleted before leaving company.

Lesson learnt

When trying or borrowing devices like smart phones, tablets and computers, users should be mindful of the privacy risks associated with using the devices to log into their own online services accounts (in particular accounts concerning online banking, email, Cloud storage, online shopping, social networking sites and photo albums, etc.). Customers are also reminded to delete all data downloaded to the trial devices during tryout to prevent leaving any digital footprints.

(Uploaded in August 2020)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :