Staples Selling PCs with Old User Data Still Intact

By Kevin Parrish
published

It's the risk you take when returning products that feature some type of storage solution, whether its a USB stick, laptop or an Xbox 360.

CBC News reports that Staples (Business Depot) in Canada has violated privacy law by not fully wiping consumer data off laptops and storage devices that are returned by customers.

According to the report, Privacy Commissioner Jennifer Stoddart conducted an audit on 17 out of 300 Staples stores across the country, 15 of which had devices slated to be resold that weren't fully wiped. These devices included desktops, laptops, USB hard drives and memory cards that supposedly already endured a wipe and restore process before returning to the retail shelf.

But overall, the audit discovered that 54 of the 149 audited devices still contained banking information, tax records, social insurance numbers, health card numbers, passport numbers and additional information left behind by prior owners. Laptops were the biggest offenders, with 17 out of 20 still holding on to old user data.

Stoddart said that she didn't have the authority to impose sanctions, but did suggest that Staples re-evaluate the way it removes old data. "Until our recommendation on wiping customer data is fully implemented, personal information will continue to remain at risk and Staples will not meet its obligations under PIPEDA," Stoddart's report said.

Staples followed up with an official statement claiming to have cooperated fully with the privacy commissioner's office during the audit. "Further, Staples has implemented changes that exceed current industry practice to remove personal data from returned memory devices," the company said, adding that it was currently testing several ways of wiping data from returned storage devices.

But the office retailer also stated that overwriting the data, which was suggested by the privacy commissioner's office and one of the most reliable methods of eradicating old data, would not be an option, claiming that the process could damage some of the devices.

Stoddart's recent audit isn't he first time the privacy commissioner's office investigated user-data complaints relating to Staples. She called the latest findings "particularly disappointing" given that the same problem surfaced in 2004 and 2008, and that Staples committed to corrective action to resolve the privacy issue both times.

Sounds like Staples based in the U.S. may need to be audited too.

Kevin Parrish
40 Comments Comment from the forums
  • aoneone
    Only a complete idiot would overlook the wonderful partition commands. ^^

    Not to mention returning their devices to 'Staples' out of all the other places... Good Lord, I think I am getting dumber by the Kilobyte. ^^ Have a nice day! =)
    Reply
  • dogman_1234
    Has anyone ever heard of removing a hard drive. If you can't remove it...why were you using a computer in the first place.
    Reply
  • eddieroolz
    I heard Staples and that was enough.

    But in all honesty, this is why I wipe the disk with 3 passes when I need to return something.
    Reply
  • JOSHSKORN
    Staples: Yeah, we've got that! Even data that has been left behind.
    Reply
  • footfiremystic
    Couldn't they have just pressed their "EASY" button?
    Reply
  • christop
    Not shocked here they have no computer skills at all just hire people off the street who think they know how to fix computers but know nothing at all. They can't even format a drive... damn..
    Reply
  • RazberyBandit
    In response, Staples would be wise to hire new, competent technicians (for a change) in order to clean this mess up.
    Reply
  • house70
    "But the office retailer also stated that overwriting the data, which was suggested by the privacy commissioner's office and one of the most reliable methods of eradicating old data, would not be an option, claiming that the process could damage some of the devices. "

    WTF? The only thing damaged here is their (shoddy) reputation.
    It would cost them some extra time to do that, but unless their wiping solution consists of putting the HDD in a microwave, there would be no damage. And please don't tell me Staples does not have the money to buy a Killdisk license.
    Reply
  • In America this would be a quick class action lawsuit, and the problem would be solved industry wide. Sucks to be Canadian, where the "enforcers" cant even issue a citation.
    Reply
  • Why would you give the laptop back to staples with your data still on it?
    Reply