Lost iPhone or Smartphone = Breach?

It's bad enough when you lose your iPhone or smartphone, because you can't make phone call or access email.  What's even worse is what the finder may do with it.

In a recent study, although half of the smartphones were returned almost every finder snooped into both corporate and personal files. Finders also tried to get through password protected data. The average time before returning the smartphone was ten hours of snooping.  Finders also looked into the owners cloud, too. It's making "remote data wipe" seem like very good idea.

The Symantec Smartphone Honey Stick Project sent out 50 “lost” smartphones and watched what the finders did with the smartphones:

• 96 percent of lost smartphones were accessed by the finders of the devices.
• 89 percent of smartphones were accessed for personal related apps and information.
• 83 percent of smartphones were accessed for corporate related apps and information.
• 70 percent of smartphones were accessed for both business and personal related apps and information.
•  50 percent of smartphone finders contacted the owner and provided contact information.
•  Attempts to access a corporate email client occurred on 45 percent of the devices.
• A file titled “HR Salaries” was accessed on 53 percent of the phones and another titled “HR Cases” was accessed on 40 percent of the devices.
• Attempts to access a private photos app occurred on 72 percent of the devices.
• An attempt to access an online banking app was observed on 43 percent of the devices.
• Access to social networking accounts and personal email were each attempted on over 60 percent of the devices.
•  A “Saved Passwords” file was accessed on 57 percent of the phones.
• 66 percent of the devices showed attempts to click through the login or password reset screens (where a login page was presented with username and password fields that were pre-filled, suggesting that the account could be accessed by simply clicking on the “login” button).
• There was an average time of 10.2 hours before an access attempt was made to contact the owner.

Symantec suggested the corporations develop practices to prevent data breaches and loss of important data. Companies should integrate mobile device security and management into the overall security and management framework and administer it the same way.

50 smartphones  were left  in New York City, Washington D.C., Los Angeles and the San Francisco Bay Area within the U.S., as well as Ottawa, Canada. The devices were intentionally lost in a number of different environments.