The Office of the Privacy Commissioner of Canada has discovered that Staples Canada failed to completely erase personal data from returned laptops that were subsequently resold. Following an analysis of laptops returned at four Ontario Staples stores, it was revealed that 23% of the devices contained personal information such as names, email addresses, account details, email fragments, and partial facial images.
As a result of this investigation, Staples has been instructed to establish clear protocols for wiping devices, enhance employee training, and enlist an independent third party to conduct annual checks on returned products. The Privacy Commissioner initiated this inquiry after receiving reports from a former Staples sales associate alleging that laptops were not consistently wiped clean before being resold.
According to the complainant, some computers still contained the previous owner’s username and password, with unwiped personal information visible on the devices. Additionally, there was at least one instance where a laptop was resold with personal data from a previous customer still present.
Interestingly, Staples had been audited for similar issues back in 2011, and the recent investigation revealed that some of these persistent problems had not been adequately addressed even 15 years later.