| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to data being easily recoverable from Android phones even after a factory reset has happened again at Avast. Avast discovered that Android's factory reset option leaves deleted data in a recoverable state, highlighting a flaw in the Android operating system [Article 36453]. Avast conducted a study where they purchased 20 Android smartphones from eBay and were able to recover a significant amount of personal data, including photos, emails, text messages, contacts, and even a completed loan application, despite the phones being reset by the previous owners.
(b) The software failure incident of data being easily recoverable from Android phones after a factory reset has also happened at other organizations or with their products and services. The study conducted by Avast revealed a huge flaw in Android phones, indicating that this issue is not limited to a specific organization but is a broader concern for users selling their smartphones [Article 36453]. The findings suggest that mobile owners should be more thorough when selling their phones to prevent their data from being accessed, indicating a potential industry-wide problem with data security on Android devices. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the articles. Avast discovered a flaw in Android phones where even after performing a factory reset or 'delete all' operation, personal data could still be easily retrieved using publicly available programs like FTK Imager [36453]. This indicates a design flaw in the Android operating system that allowed for the recovery of deleted data, highlighting a vulnerability introduced during the system development phase.
(b) The software failure incident related to the operation phase is evident in the articles as well. Users were under the impression that performing a factory reset on their Android phones would completely wipe their personal data. However, it was found that the factory reset option only cleaned the phones "only at the application layer," leaving deleted data in a recoverable state [28330]. This shows that the failure was also influenced by the operation or misuse of the system by users who were not fully aware of the implications of the factory reset option. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident in the articles is related to the Android operating system's factory reset option not completely wiping personal data from smartphones, leading to the recovery of sensitive information by Avast using publicly available programs like FTK Imager [36453, 28330]. Avast discovered that even after performing a factory reset or delete-all operation on Android phones, vast amounts of personal data could still be retrieved, including photos, emails, text messages, contact names, and even completed loan applications. This failure originates from within the system, as it is a flaw in the Android operating system's data wiping mechanism. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The software failure incident in the articles was primarily due to a flaw in Android phones' factory reset option, which left deleted data in a recoverable state, allowing Avast to easily retrieve personal data from used smartphones bought on eBay [36453, 28330].
- Avast discovered that even after performing a factory reset or 'delete all' operation on the devices with in-built software, vast amounts of personal data could still be recovered using publicly available programs like FTK Imager [36453].
- The study highlighted a flaw in Android phones that allowed the recovery of more than 40,000 photos, compromising selfies, emails, text messages, contact names, and even completed loan applications from just 20 used smartphones [36453].
- Avast used off-the-shelf digital forensics tools like FTK Imager to recover SMS and Facebook chats from the Android phones, indicating a flaw in the data wiping process [28330].
(b) The software failure incident occurring due to human actions:
- The failure was also attributed to human actions, as users were not fully aware of the implications of the personal data stored on their smartphones when performing a factory reset or 'clean wipe' before selling or donating the devices [28330].
- Avast's mobile division president mentioned that users believed they were performing a clean wipe and factory reinstall, but the factory reinstall only cleaned the phones at the application layer, indicating a lack of understanding or awareness among users regarding data security [28330].
- The incident highlighted the challenge of making people more aware of device security, especially when smartphones contain a significant amount of personal data that users may not fully consider when selling or disposing of their devices [28330]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident occurring due to hardware:
- The articles do not mention any software failure incident occurring due to contributing factors originating in hardware. Therefore, there is no information available regarding a software failure incident caused by hardware issues [36453, 28330].
(b) The software failure incident occurring due to software:
- The software failure incident reported in the articles is related to a flaw in Android phones' factory reset option. Avast discovered that despite performing a factory reset or 'delete all' operation on Android devices, personal data could still be easily retrieved using publicly available programs like FTK Imager. This flaw in the software allowed for the recovery of large amounts of personal data from used smartphones sold online, even after consumers believed they had deleted their data [36453, 28330]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident reported in the articles is non-malicious. The incident involved a flaw in Android phones that allowed personal data to be easily recovered even after a factory reset or 'delete all' operation. Avast discovered that the factory reset option in Android phones did not effectively delete data, leading to compromising situations where sensitive information like photos, emails, text messages, and even identities were recovered from used smartphones purchased on eBay [36453, 28330]. The incident was not caused by malicious intent but rather by a security vulnerability in the Android operating system that allowed data to be accessed by unauthorized parties. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident was poor_decisions as it was a failure due to contributing factors introduced by poor decisions. The incident involved the discovery by Avast Software of a huge flaw in Android phones where they were able to easily recover large amounts of personal data from smartphones sold online, despite consumers deleting their data. The flaw was related to the ineffectiveness of Android's factory reset option in completely wiping personal data from the devices before resale [36453, 28330]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident in the articles can be attributed to development incompetence. The incident occurred due to a flaw in Android phones where personal data could be easily recovered even after performing a factory reset or delete-all operation. Avast, a Prague-based internet security firm, discovered this flaw and was able to retrieve a significant amount of personal data from used smartphones bought on eBay, including photos, emails, text messages, contact names, and even a completed loan application [36453, 28330].
The flaw in the Android phones was a result of the devices not completely wiping personal data as intended by the users. Despite users thinking they were performing a clean wipe and factory reinstall, the factory reset option only cleaned the phones at the application layer, leaving behind recoverable data. This highlights a lack of professional competence in ensuring that personal data is securely erased from devices before resale or disposal [28330]. |
| Duration |
permanent |
The software failure incident described in the articles is more of a permanent nature. The incident involves a flaw in Android phones' factory reset option, which led to the failure to completely delete personal data from the devices even after performing a factory reset. This flaw allowed Avast to recover a significant amount of personal data from used smartphones purchased on eBay, including photos, emails, text messages, contact names, and even a completed loan application. The failure to completely wipe the data from the phones was a persistent issue highlighted by the research conducted by Avast [36453, 28330]. |
| Behaviour |
omission, value, other |
(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is more related to data recovery from supposedly wiped Android phones, indicating a failure in data sanitization rather than a system crash [36453, 28330].
(b) omission: The software failure incident can be categorized under omission, where the system omits to perform its intended functions at an instance(s). In this case, the Android phones failed to completely wipe personal data even after users performed a factory reset or 'delete all' operation, leading to the omission of properly deleting sensitive information [36453, 28330].
(c) timing: The incident does not involve a timing failure where the system performs its intended functions too late or too early. The issue here is more about the completeness of data deletion rather than the timing of any specific function [36453, 28330].
(d) value: The software failure incident can be classified under the value category, where the system performs its intended functions incorrectly. In this case, the Android phones failed to properly erase personal data, leading to the incorrect assumption by users that their data was securely deleted [36453, 28330].
(e) byzantine: The incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The issue here is more straightforward, involving the failure to completely wipe personal data from the phones [36453, 28330].
(f) other: The other behavior observed in this software failure incident is the revelation of a flaw in the data wiping process of Android phones. Despite users performing factory resets or 'delete all' operations, the phones still retained significant amounts of personal data, highlighting a critical oversight in the data sanitization process [36453, 28330]. |