It's never a good idea to return a computer or other gadget to a store without first erasing all your personal data. Stores with good policies and training will generally wipe devices back to factory settings before selling them again, but you never know when one might slip through the cracks.
We've seen this happen a few times with Best Buy, that ubiquitous chain with 1,600 stores in North America, which boasts that "more than 70 percent of the [US] population lives within 15 minutes of a Best Buy store."
The most recent incident happened last week when Michal Urban bought an open box Apple TV from a Best Buy in Mission Viejo, California. The Apple TV was still logged in to several of the previous owner's accounts, Urban told Ars. Urban provided us with screenshots showing logged-in accounts for iTunes, Netflix, Hulu, and HBO Now.
"I just got an open box Apple TV and sure enough the iTunes account is still linked, I can listen to someone's songs, watch shows, perhaps even rent a movie?" Urban told Ars.
Urban said he intends to reset the device instead of taking advantage, but he documented the evidence first. "I like Best Buy overall, they are my go-to store for electronics," Urban said, but he was disturbed by the poor security practice.
"Although one could say the original owner should have known better and reset the unit before returning it, many/most people are probably clueless in this area," Urban noted. "So if the retailer accepts the return and resells the item, it's their responsibility to return it to factory defaults. Although I'd like to believe it's not true, I suspect they completely ignore this in many cases."
Urban notified Best Buy customer service about the Apple TV that wasn't wiped. A Best Buy employee told him that his concerns had been documented so they could be "shared with the local team to ensure that our policies are being carried out with all professionalism and courtesy."
We contacted Best Buy's public relations department to find out what Best Buy's policies are for erasing returned devices.
"We have detailed procedures in place to wipe client information from the devices that are returned to our stores," Best Buy told Ars. "Our stores wipe thousands of devices and return them to factory settings each year. If that doesn't happen, it runs counter to our company values and how we expect to handle customer data."
We also asked Best Buy if it's taking any steps to make sure these apparently isolated incidents don't happen again, but the company didn't answer.
Besides the Apple TV incident, we published a story last month in which the author purchased a returned computer from Best Buy and was able to log in as the previous owner. The computer even came with a slip of paper on which the previous owner had written down his password.
"It was in the box the entire time. Not only did they sell me a computer with someone else’s data still on it, they gave me the password as well. No hacking required," the article said.
A little Google searching turned up another incident from June of this year that was detailed on a Best Buy customer forum:
I bought a computer for my sister's graduation present. An open box macbook pro 13 inch retina. I read every fine print on that page to assure that the item would a) be like new physically and b) The computer would be wiped clean and prepared for her to take overseas tomorrow.
When she received the product yesterday, however (After I did pay for 2 day shipping), the nightmare began. The computer had been left powered on in the box and was clearly overheating or close to it. But the real kicker was when she flipped it open to set it up, "Steve H"s account (the previous owner) was prompted to enter the password to login. Not only had no one checked to see if this computer had been wiped clean- they didn't even check to see if it could be accessed.
A Best Buy employee responded that "it is truly disheartening to hear that the MacBook Pro you ordered may have somehow gotten through the inspection process without actually being inspected and thus, not had a factory reset performed either. I am deeply sorry for any dissatisfaction or aggravation that this may have caused you and your sister."
The customer was originally told it would take five days to fix the problem, but "after a solid two days of hounding Best Buy in store, on the phone, and online on this forum," the customer was finally able to get the computer replaced with a brand new one.
Be careful out there, folks. And wipe those old devices.
reader comments
133