Researchers recently discovered that technicians had accessed data on laptops they worked on. The study also showed that few repair shops have clear privacy policies. So, it’s a good reminder to beef up the security of your device if your laptop or phone needs repairs, experts say.  “If you’ve turned your device over to a repair company and provided them access with your security pin, they can access anything that isn’t further restricted on your phone and make copies of the data,” cybersecurity expert Josh Smith of the company Nuspire told Lifewire in an email interview. 

Not So Private Repairs

Researchers at the University of Guelph in Ontario, Canada, examined laptops repaired at local shops. The data showed that technicians from six locations had accessed personal information and that two shops also copied information.  “Our investigation shows an absence of policies and controls to safeguard customers’ data across all types of repair service providers,” the researchers wrote in the paper. “We show that despite their concerns, customers get their devices repaired to save cost or data. We provide suggestions on how the state of privacy in the repair industry can be improved. Our work calls to action device manufacturers, OS developers, repair service providers, and regulatory bodies to take appropriate measures to safeguard customers’ privacy in the repair industry.” Brent Skumlien, the information security architect for the University of Phoenix, said in an email to Lifewire that if your device is not encrypted with a strong passcode, the data on the device could be viewed by anyone with possession of the phone or tablet. He said that strangers could scroll through your private photos, read your text messages, or even make copies of your data.  “Devices like phones and tablets are essential parts of our digital lives and contain vast amounts of private data,” Skumlien added. “Pictures, emails, text messages, and social media posts are just some of the things at stake. And it’s not just local data; these devices are our connection to a vast array of cloud services such as Google Drive, iCloud, and even our banks. Without taking the right precautions, all of this could be at risk.”

Keeping Your Data Safe

If your device needs to go in for repairs, there are steps you can take to keep your data more secure. Skumlien said that you should first ensure your device is encrypted and has a strong passcode. Android and Apple devices support and even default to encryption. Also, ensure important data is backed up somewhere, like iCloud, Google Drive, or other cloud services.  In addition to device encryption, many apps that connect to cloud services support fingerprint or Face ID access, Skumlien said, and added, “So even if the device itself is unlocked, you still need to unlock the app in order to get to the data.”  Skumlien pointed out that a new feature on iPhones and iPads with iOS 16 is the ability to hide and lock photo albums. “This may be an attractive option for extra sensitive shots that deserve another layer of protection,” he said. Try to choose a repair shop where you can see the technician working on your device, Skumlien said. “They may need you to unlock the device to verify functionality after the repair but make sure they don’t take the device into a back room after you unlock it.”  If you must send your device away for repair, such as warranty work, there is a chance the company might send you a new device if yours is not repairable. If that is the case, you may be able to remotely wipe the device if it ever gets powered back on and connected to the internet, Skumlien said.  “And if you do get your original device back, the repair technician will not have had access to your data while working on it,” he added. Despite the recent study showing that there’s risk to your data, Smith said not to worry too much. “Personally, I think this is a pretty low risk when using a reputable repair company, but it isn’t impossible by any means,” he added. “There’s always a malicious actor lurking out there somewhere.” 12/27/2022 Update: Corrected the name of the company in paragraph three.